diff --git a/.gitignore b/.gitignore
index 3bd9c474..bc15f8f5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ misp_modules.egg-info/
 docs/expansion*
 docs/import_mod*
 docs/export_mod*
+docs/action_mod*
 site*
 
 #pycharm env
diff --git a/README.md b/README.md
index 7b347926..eb323c62 100644
--- a/README.md
+++ b/README.md
@@ -12,131 +12,167 @@ without modifying core components. The API is available via a simple REST API wh
 
 For more information: [Extending MISP with Python modules](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) slides from [MISP training](https://github.com/MISP/misp-training).
 
-## Existing MISP modules
+# Existing MISP modules
 
-### Expansion modules
-* [apiosintDS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) - a hover and expansion module to query the [OSINT.digitalside.it](https://osint.digitalside.it) API. [Documentation](https://apiosintds.readthedocs.io/en/latest/userguidemisp.html).
-* [API Void](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) - an expansion and hover module to query API Void with a domain attribute.
-* [AssemblyLine submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine.
-* [AssemblyLine query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report.
-* [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations.
-* [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
-* [RansomcoinDB check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) - An expansion hover module to query the [ransomcoinDB](https://ransomcoindb.concinnity-risks.com): it contains mapping between BTC addresses and malware hashes. Enrich MISP by querying for BTC -> hash or hash -> BTC addresses.
-* [BTC scam check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused.
-* [BTC transactions](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
-* [Censys-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) - An expansion and module to retrieve information from censys.io about a particular IP or certificate.
-* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
-* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificates seen.
-* [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
-* [CrowdSec](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py) - a hover module to expand using CrowdSec's CTI API.
-* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
-* [CPE](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities.
-* [CVE](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
-* [CVE advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
-* [Cuckoo submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
-* [Cytomic Orion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) - An expansion module to enrich attributes in MISP and share indicators of compromise with Cytomic Orion.
-* [DBL Spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) - a hover module to check Spamhaus DBL for a domain name.
-* [DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
-* [docx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser).
-* [DomainTools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
-* [EQL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/)
-* [EUPI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
-* [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
-* [GeoIP](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind.
-* [GeoIP_City](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) - a hover and expansion module to get GeoIP City information from geolite/maxmind.
-* [GeoIP_ASN](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) - a hover and expansion module to get GeoIP ASN information from geolite/maxmind.
-* [Google Threat Intelligence] (https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence.
-* [GreyNoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - a hover and expansion module to get IP and CVE information from GreyNoise.
-* [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset.
-* [Hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) - An expansion module to enrich a file hash with hashlookup.circl.lu services (NSRL and other sources)
-* [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned?
-* [html_to_markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) - Simple HTML to markdown converter
-* [HYAS Insight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) - a hover and expansion module to get information from [HYAS Insight](https://www.hyas.com/hyas-insight).
-* [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) - an expansion module to get info from [Intel471](https://intel471.com).
-* [IP2Location.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py) - an expansion module to get additional information on an IP address using the IP2Location.io API
-* [IPASN](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
-* [ipinfo.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py) - an expansion module to get additional information on an IP address using the ipinfo.io API
-* [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net.
-* [Joe Sandbox submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) - Submit files and URLs to Joe Sandbox.
-* [Joe Sandbox query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox with the link of an analysis and get the parsed data.
-* [Lastline submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) - Submit files and URLs to Lastline.
-* [Lastline query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) - Query Lastline with the link to an analysis and parse the report.
-* [macaddress.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
-* [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
-* [MALWAREbazaar](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) - an expansion module to query MALWAREbazaar with some payload.
-* [McAfee MVISION Insights](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py) - an expansion module enrich IOCs with McAfee MVISION Insights.
-* [Mmdb server lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) - an expansion module to enrich an ip with geolocation information from an mmdb server such as ip.circl.lu.
-* [ocr-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
-* [ods-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
-* [odt-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).
-* [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) - a modules to process queries on Onyphe.
-* [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) - a modules to process full queries on Onyphe.
-* [OTX](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) - an expansion module for [OTX](https://otx.alienvault.com/).
-* [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
-* [pdf-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) - an enrichment module to extract text from PDF into MISP (using free-text parser).
-* [pptx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).
-* [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.
-* [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) - a module to get RBL (Real-Time Blackhost List) values from an attribute.
-* [recordedfuture](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) - a hover and expansion module for enriching MISP attributes with threat intelligence from Recorded Future.
-* [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
-* [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) - an expansion module for [securitytrails](https://securitytrails.com/).
-* [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module.
-* [Sigma queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
-* [Sigma syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator.
-* [Socialscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) - a hover module to check if an email address or a username is used on different online platforms, using the [socialscan](https://github.com/iojw/socialscan) python library
-* [SophosLabs Intelix](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier available). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS)
-* [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
-* [stairwell](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py) - an expansion module to enrich hash observables with the Stairwell API
-* [STIX2 pattern syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax.
-* [ThreatCrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/).
-* [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/).
-* [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/).
-* [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
-* [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
-* [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) - an expansion module to query the [VARIoT db](https://www.variotdbs.pl) API to get more information about a Vulnerability
-* [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://docs.virustotal.com/reference/overview))
-* [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://docs.virustotal.com/reference/overview))
-* [VMray](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.
-* [VMware NSX](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) - a module to enrich a file or URL with VMware NSX Defender.
-* [VulnDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) - a module to query [VulnDB](https://www.riskbasedsecurity.com/).
-* [Vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) - an expansion module to expand information about CVEs using Vulners API.
-* [Vysion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py) - an expansion module to add dark web intelligence using Vysion API.
-* [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd).
-* [whoisfreaks](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py) - An expansion module for [whoisfreaks](https://whoisfreaks.com/) that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
-* [wikidata](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module.
-* [xforce](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module.
-* [xlsx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) - an enrichment module to get text out of an Excel document into MISP (using free-text parser).
-* [YARA query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) - a module to create YARA rules from single hash attributes.
-* [YARA syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator.
+## Expansion Modules
+* [Abuse IPDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/abuseipdb.py) - AbuseIPDB MISP expansion module
+* [OSINT DigitalSide](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) - On demand query API for OSINT.digitalside.it project.
+* [APIVoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) - Module to query APIVoid with some domain attributes.
+* [AssemblyLine Query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) - A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.
+* [AssemblyLine Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) - A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.
+* [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) - Backscatter.io module to bring mass-scanning observations into MISP.
+* [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) - Query BGP Ranking to get the ranking of an Autonomous System number.
+* [BTC Scam Check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.
+* [BTC Steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP.
+* [Censys Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) - An expansion module to enrich attributes in MISP by quering the censys.io API
+* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) - Module to access CIRCL Passive DNS.
+* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) - Modules to access CIRCL Passive SSL.
+* [ClaamAV](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/clamav.py) - Submit file to ClamAV
+* [Cluster25 Expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py) - Module to query Cluster25 CTI.
+* [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) - Module to expand country codes.
+* [CPE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
+* [CrowdSec CTI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py) - Hover module to lookup an IP in CrowdSec's CTI
+* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) - Module to query CrowdStrike Falcon.
+* [Cuckoo Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) - Submit files and URLs to Cuckoo Sandbox
+* [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) - An expansion hover module to expand information about CVE id.
+* [CVE Advanced Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
+* [Cytomic Orion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) - An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
+* [DBL Spamhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) - Checks Spamhaus DBL for a domain name.
+* [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) - jj
+* [DOCX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) - Module to extract freetext from a .docx document.
+* [DomainTools Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) - DomainTools MISP expansion module.
+* [EQL Query Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) - EQL query generation for a MISP attribute.
+* [EUPI Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) - A module to query the Phishing Initiative service (https://phishing-initiative.lu).
+* [URL Components Extractor](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/extract_url_components.py) - Extract URL components
+* [Farsight DNSDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - Module to access Farsight DNSDB Passive DNS.
+* [GeoIP ASN Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) - Query a local copy of the Maxmind Geolite ASN database (MMDB format)
+* [GeoIP City Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) - An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.
+* [GeoIP Country Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - Query a local copy of Maxminds Geolite database, updated for MMDB format
+* [Google Safe Browsing Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_safe_browsing.py) - Google safe browsing expansion module
+* [Google Search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py) - An expansion hover module to expand google search information about an URL
+* [Google Threat Intelligence Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence.
+* [GreyNoise Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - Module to query IP and CVE information from GreyNoise
+* [Hashdd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - A hover module to check hashes against hashdd.com including NSLR dataset.
+* [CIRCL Hashlookup Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) - An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.
+* [Have I Been Pwned Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - Module to access haveibeenpwned.com API.
+* [HTML to Markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) - Expansion module to fetch the html content from an url and convert it into markdown.
+* [HYAS Insight Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) - HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
+* [Intel471 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) - Module to access Intel 471
+* [IP2Location.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py) - An expansion module to query IP2Location.io to gather more information on a given IP address.
+* [IPASN-History Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) - Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
+* [IPInfo.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py) - An expansion module to query ipinfo.io to gather more information on a given IP address.
+* [IPQualityScore Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py) - IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.
+* [IPRep Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) - Module to query IPRep data for IP addresses.
+* [Ninja Template Rendering](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/jinja_template_rendering.py) - Render the template with the data passed
+* [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
+* [Joe Sandbox Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) - A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission.
+* [Lastline Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-### Export modules
+Query Lastline with an analysis link and parse the report into MISP attributes and objects.
+* [Lastline Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-* [CEF](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) - module to export Common Event Format (CEF).
-* [Cisco FireSight Manager ACL rule](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) - module to export as rule for the Cisco FireSight manager ACL.
-* [GoAML export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) - module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html).
-* [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) - module to export a lite event.
-* [PDF export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) - module to export an event in PDF.
-* [Mass EQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) - module to export applicable attributes from an event to a mass EQL query.
-* [Nexthink query format](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) - module to export in Nexthink query format.
-* [osquery](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) - module to export in [osquery](https://osquery.io/) query format.
-* [ThreatConnect](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) - module to export in ThreatConnect CSV format.
-* [ThreatStream](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) - module to export in ThreatStream format.
-* [VirusTotal Graph](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) - Module to create a VirusTotal graph out of an event.
+Module to submit a file or URL to Lastline.
+* [Macaddress.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) - MISP hover module for macaddress.io
+* [Macvendors Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) - Module to access Macvendors API.
+* [Malware Bazaar Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) - Query Malware Bazaar to get additional information about the input hash.
+* [McAfee MVISION Insights Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py) - Lookup McAfee MVISION Insights Details
+* [GeoIP Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) - A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.
+* [MWDB Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py) - Module to push malware samples to a MWDB instance
+* [OCR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) - Module to process some optical character recognition on pictures.
+* [ODS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) - Module to extract freetext from a .ods document.
+* [ODT Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) - Module to extract freetext from a .odt document.
+* [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) - Module to process a query on Onyphe.
+* [Onyphe Full Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) - Module to process a full query on Onyphe.
+* [AlienVault OTX Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) - Module to get information from AlienVault OTX.
+* [Passive SSH Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passive_ssh.py) - An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh
+* [PassiveTotal Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) - The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
+* [PDF Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) - Module to extract freetext from a PDF document.
+* [PPTX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) - Module to extract freetext from a .pptx document.
+* [Qintel QSentry Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py) - A hover and expansion module which queries Qintel QSentry for ip reputation data
+* [QR Code Decode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) - Module to decode QR codes.
+* [RandomcoinDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
+* [Real-time Blackhost Lists Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) - Module to check an IPv4 address against known RBLs.
+* [Recorded Future Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) - Module to enrich attributes with threat intelligence from Recorded Future.
+* [Reverse DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
+* [SecurityTrails Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) - An expansion modules for SecurityTrails.
+* [Shodan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) - Module to query on Shodan.
+* [Sigma Rule Converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) - An expansion hover module to display the result of sigma queries.
+* [Sigma Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) - An expansion hover module to perform a syntax check on sigma rules.
+* [SigMF Expansion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf_expand.py) - Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.
+* [Socialscan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) - A hover module to get information on the availability of an email address or username on some online platforms.
+* [SophosLabs Intelix Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) - An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.
+* [URL Archiver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) - Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.
+* [Stairwell Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py) - Module to query the Stairwell API to get additional information about the input hash attribute
+* [STIX2 Pattern Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - An expansion hover module to perform a syntax check on stix2 patterns.
+* [ThreatCrowd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) - Module to get information from ThreatCrowd.
+* [ThreadFox Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatfox.py) - Module to search for an IOC on ThreatFox by abuse.ch.
+* [ThreatMiner Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) - Module to get information from ThreatMiner.
+* [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) - Module to get enrich indicators with TruSTAR.
+* [URLhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) - Query of the URLhaus API to get additional information about the input attribute.
+* [URLScan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) - An expansion module to query urlscan.io.
+* [VARIoT db Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) - An expansion module to query the VARIoT db API for more information about a vulnerability.
+* [VirusTotal v3 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) - Enrich observables with the VirusTotal v3 API
+* [VirusTotal Public API Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) - Enrich observables with the VirusTotal v3 public API
+* [VMRay Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) - Module to submit a sample to VMRay.
+* [VMware NSX Defender Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) - Module to enrich a file or URL with VMware NSX Defender.
+* [VulnDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) - Module to query VulnDB (RiskBasedSecurity.com).
+* [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py) - An expansion module to query Vulnerability Lookup
+* [Vulners Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) - An expansion hover module to expand information about CVE id using Vulners API.
+* [Vysion Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py) - Module to enrich the information by making use of the Vysion API.
+* [Whois Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) - Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
+* [WhoisFreaks Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py) - An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
+* [Wikidata Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) - An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.
+* [IBM X-Force Exchange Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) - An expansion module for IBM X-Force Exchange.
+* [XLXS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) - Module to extract freetext from a .xlsx document.
+* [YARA Rule Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) - jj
+* [YARA Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
+* [Yeti Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py) - Module to process a query on Yeti.
 
-### Import modules
+## Export Modules
+* [CEF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) - Module to export a MISP event in CEF format.
+* [Cisco fireSIGHT blockrule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) - Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
+* [Microsoft Defender for Endpoint KQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py) - Defender for Endpoint KQL hunting query export module
+* [GoAML Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) - This module is used to export MISP events containing transaction objects into GoAML format.
+* [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) - Lite export of a MISP event.
+* [EQL Query Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) - Export MISP event in Event Query Language
+* [Nexthink NXQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) - Nexthink NXQL query export module
+* [OSQuery Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) - OSQuery export of a MISP event.
+* [Event to PDF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) - Simple export of a MISP event to PDF.
+* [ThreatStream Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) - Module to export a structured CSV file for uploading to threatStream.
+* [ThreadConnect Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) - Module to export a structured CSV file for uploading to ThreatConnect.
+* [VirusTotal Collections Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py) - Creates a VT Collection from an event iocs.
+* [VirusTotal Graph Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) - This module is used to create a VirusTotal Graph from a MISP event.
+* [YARA Rule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py) - This module is used to export MISP events to YARA.
 
-* [CSV import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) - Customizable CSV import module.
-* [Cuckoo JSON](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) - Cuckoo JSON import.
-* [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) - Email import module for MISP to import basic metadata.
-* [GoAML import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) - Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
-* [Joe Sandbox import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) - Parse data from a Joe Sandbox json report.
-* [Lastline import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) - Module to import Lastline analysis reports.
-* [OCR](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) - Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
-* [OpenIOC](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) - OpenIOC import based on PyMISP library.
-* [ThreatAnalyzer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
-* [VMRay](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
+## Import Modules
+* [PDNS COF Importer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py) - Passive DNS Common Output Format (COF) MISP importer
+* [CSV Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) - Module to import MISP attributes from a csv file.
+* [Cuckoo Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) - Module to import Cuckoo JSON.
+* [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) - Email import module for MISP
+* [GoAML Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) - Module to import MISP objects about financial transactions from GoAML files.
+* [Import Blueprint](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py) - Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
+* [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) - A module to import data from a Joe Sandbox analysis json report.
+* [Lastline Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-## How to install and start MISP modules in a Python virtualenv? (recommended)
+Module to import and parse reports from Lastline analysis links.
+* [MISP JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py) - Module to import MISP JSON format for merging MISP events.
+* [OCR Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) - Optical Character Recognition (OCR) module for MISP.
+* [OpenIOC Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) - Module to import OpenIOC packages.
+* [TAXII 2.1 Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py) - Import content from a TAXII 2.1 server
+* [ThreadAnalyzer Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) - Module to import ThreatAnalyzer archive.zip / analysis.json files.
+* [URL Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py) - Simple URL import tool with Faup
+* [VMRay API Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) - Module to import VMRay (VTI) results.
+* [VMRay Summary JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py) - Import a VMRay Summary JSON report.
+
+## Action Modules
+* [Mattermost](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/mattermost.py) - Simplistic module to send message to a Mattermost channel.
+* [Slack](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/slack.py) - Simplistic module to send messages to a Slack channel.
+* [Test action](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/testaction.py) - This module is merely a test, always returning true. Triggers on event publishing.
+
+
+# Installation
+
+## How to install and start MISP modules (in a Python virtualenv)? (recommended)
 
 ***Be sure to run the latest version of `pip`***. To install the latest version of pip, `pip install --upgrade pip` will do the job.
 
@@ -336,7 +372,7 @@ ls -1|while read line; do sudo pip3 install --force-reinstall --ignore-installed
 ~~~
 Next you can follow standard install procedure.
 
-## How to add your own MISP modules?
+# How to add your own MISP modules?
 
 Create your module in [misp_modules/modules/expansion/](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/), [misp_modules/modules/export_mod/](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/), or [misp_modules/modules/import_mod/](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/). The module should have at minimum three functions:
 
@@ -647,11 +683,27 @@ Recommended     Plugin.Import_ocr_enabled       true   Enable or disable the ocr
 
 In this same menu set any other plugin settings that are required for testing.
 
+## Install misp-module on an offline instance.
+First, you need to grab all necessary packages for example like this :
+
+Use pip wheel to create an archive
+~~~
+mkdir misp-modules-offline
+pip3 wheel -r REQUIREMENTS shodan --wheel-dir=./misp-modules-offline
+tar -cjvf misp-module-bundeled.tar.bz2 ./misp-modules-offline/*
+~~~
+On offline machine :
+~~~
+mkdir misp-modules-bundle
+tar xvf misp-module-bundeled.tar.bz2 -C misp-modules-bundle
+cd misp-modules-bundle
+ls -1|while read line; do sudo pip3 install --force-reinstall --ignore-installed --upgrade --no-index --no-deps ${line};done
+~~~
+Next you can follow standard install procedure.
 
 ## How to contribute your own module?
 
 Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.
-For further information please see [Contribute](contribute/).
 
 
 ## Tips for developers creating modules
diff --git a/docs/contribute.md b/docs/contribute.md
index ef312f6a..3d39596a 100644
--- a/docs/contribute.md
+++ b/docs/contribute.md
@@ -1,6 +1,6 @@
 ## How to add your own MISP modules?
 
-Create your module in [misp_modules/modules/expansion/](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/), [misp_modules/modules/export_mod/](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/), or [misp_modules/modules/import_mod/](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/). The module should have at minimum three functions:
+Create your module in [misp_modules/modules/expansion/](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/), [misp_modules/modules/export_mod/](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/), or [misp_modules/modules/import_mod/](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/). The module should have at minimum three functions:
 
 * **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module.
 * **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
@@ -309,22 +309,27 @@ Recommended     Plugin.Import_ocr_enabled       true   Enable or disable the ocr
 
 In this same menu set any other plugin settings that are required for testing.
 
+## Install misp-module on an offline instance.
+First, you need to grab all necessary packages for example like this :
 
+Use pip wheel to create an archive
+~~~
+mkdir misp-modules-offline
+pip3 wheel -r REQUIREMENTS shodan --wheel-dir=./misp-modules-offline
+tar -cjvf misp-module-bundeled.tar.bz2 ./misp-modules-offline/*
+~~~
+On offline machine :
+~~~
+mkdir misp-modules-bundle
+tar xvf misp-module-bundeled.tar.bz2 -C misp-modules-bundle
+cd misp-modules-bundle
+ls -1|while read line; do sudo pip3 install --force-reinstall --ignore-installed --upgrade --no-index --no-deps ${line};done
+~~~
+Next you can follow standard install procedure.
 
-## Documentation
+## How to contribute your own module?
 
-In order to provide documentation about some modules that require specific input / output / configuration, the [doc](https://github.com/MISP/misp-modules/tree/master/doc) directory contains detailed information about the general purpose, requirements, features, input and output of each of these modules:
-
-- ***description** - quick description of the general purpose of the module, as the one given by the moduleinfo
-- **requirements** - special libraries needed to make the module work
-- **features** - description of the way to use the module, with the required MISP features to make the module give the intended result
-- **references** - link(s) giving additional information about the format concerned in the module
-- **input** - description of the format of data used in input
-- **output** - description of the format given as the result of the module execution
-
-In addition to the module documentation please add your module to [docs/index.md](https://github.com/MISP/misp-modules/tree/master/docs/index.md).
-
-There are also [complementary slides](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) for the creation of MISP modules.
+Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.
 
 
 ## Tips for developers creating modules
@@ -334,7 +339,7 @@ Download a pre-built virtual image from the [MISP training materials](https://ww
 - Create a Host-Only adapter in VirtualBox
 - Set your Misp OVA to that Host-Only adapter
 - Start the virtual machine
-- Get the IP address of the virutal machine
+- Get the IP address of the virtual machine
 - SSH into the machine (Login info on training page)
 - Go into the misp-modules directory
 
@@ -352,16 +357,18 @@ sudo git checkout MyModBranch
 
 Remove the contents of the build directory and re-install misp-modules.
 
-~~~python
+~~~bash
 sudo rm -fr build/*
-sudo pip3 install --upgrade .
+sudo -u www-data /var/www/MISP/venv/bin/pip install --upgrade .
 ~~~
 
 SSH in with a different terminal and run `misp-modules` with debugging enabled.
 
-~~~python
-sudo killall misp-modules
-misp-modules -d
+~~~bash
+# In case misp-modules is not a service do:
+# sudo killall misp-modules
+sudo systemctl disable --now misp-modules
+sudo -u www-data /var/www/MISP/venv/bin/misp-modules -d
 ~~~
 
 
@@ -372,3 +379,17 @@ cd tests/
 curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @MY_TEST_FILE.json -X POST
 cd ../
 ~~~
+
+## Documentation
+
+In order to provide documentation about some modules that require specific input / output / configuration, the [index.md](docs/index.md) file within the [docs](docs) directory contains detailed information about the general purpose, requirements, features, input and ouput of each of these modules:
+
+- ***description** - quick description of the general purpose of the module, as the one given by the moduleinfo
+- **requirements** - special libraries needed to make the module work
+- **features** - description of the way to use the module, with the required MISP features to make the module give the intended result
+- **references** - link(s) giving additional information about the format concerned in the module
+- **input** - description of the format of data used in input
+- **output** - description of the format given as the result of the module execution
+
+## Licenses
+For further Information see also the [license file](license/).
diff --git a/docs/index.md b/docs/index.md
index 5e21e39a..b48f6655 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,113 +1,173 @@
 # Home
 
-[![Build Status](https://travis-ci.org/MISP/misp-modules.svg?branch=master)](https://travis-ci.org/MISP/misp-modules)
-[![Coverage Status](https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=master)](https://coveralls.io/github/MISP/misp-modules?branch=master)
+[![Build status](https://github.com/MISP/misp-modules/actions/workflows/python-package.yml/badge.svg)](https://github.com/MISP/misp-modules/actions/workflows/python-package.yml)[![Coverage Status](https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=main)](https://coveralls.io/github/MISP/misp-modules?branch=main)
 [![codecov](https://codecov.io/gh/MISP/misp-modules/branch/main/graph/badge.svg)](https://codecov.io/gh/MISP/misp-modules)
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%MISP%2Fmisp-modules.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2FMISP%2Fmisp-modules?ref=badge_shield)
 
-MISP modules are autonomous modules that can be used for expansion and other services in [MISP](https://github.com/MISP/MISP).
+MISP modules are autonomous modules that can be used to extend [MISP](https://github.com/MISP/MISP) for new services such as expansion, import, export and workflow action.
+
+MISP modules can be also installed and used without MISP as a [standalone tool accessible via a convenient web interface](./website).
 
 The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
-without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.
-
-MISP modules support is included in MISP starting from version `2.4.28`.
-
-For more information: [Extending MISP with Python modules](https://www.circl.lu/assets/files/misp-training/switch2016/2-misp-modules.pdf) slides from MISP training.
+without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration and can be used with other tools.
 
+For more information: [Extending MISP with Python modules](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) slides from [MISP training](https://github.com/MISP/misp-training).
 
 ## Existing MISP modules
 
-### Expansion modules
+### Expansion Modules
+* [Abuse IPDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/abuseipdb.py) - AbuseIPDB MISP expansion module
+* [OSINT DigitalSide](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) - On demand query API for OSINT.digitalside.it project.
+* [APIVoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) - Module to query APIVoid with some domain attributes.
+* [AssemblyLine Query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) - A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.
+* [AssemblyLine Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) - A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.
+* [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) - Backscatter.io module to bring mass-scanning observations into MISP.
+* [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) - Query BGP Ranking to get the ranking of an Autonomous System number.
+* [BTC Scam Check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.
+* [BTC Steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP.
+* [Censys Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) - An expansion module to enrich attributes in MISP by quering the censys.io API
+* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) - Module to access CIRCL Passive DNS.
+* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) - Modules to access CIRCL Passive SSL.
+* [ClaamAV](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/clamav.py) - Submit file to ClamAV
+* [Cluster25 Expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py) - Module to query Cluster25 CTI.
+* [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) - Module to expand country codes.
+* [CPE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
+* [CrowdSec CTI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py) - Hover module to lookup an IP in CrowdSec's CTI
+* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) - Module to query CrowdStrike Falcon.
+* [Cuckoo Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) - Submit files and URLs to Cuckoo Sandbox
+* [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) - An expansion hover module to expand information about CVE id.
+* [CVE Advanced Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
+* [Cytomic Orion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) - An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
+* [DBL Spamhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) - Checks Spamhaus DBL for a domain name.
+* [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) - jj
+* [DOCX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) - Module to extract freetext from a .docx document.
+* [DomainTools Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) - DomainTools MISP expansion module.
+* [EQL Query Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) - EQL query generation for a MISP attribute.
+* [EUPI Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) - A module to query the Phishing Initiative service (https://phishing-initiative.lu).
+* [URL Components Extractor](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/extract_url_components.py) - Extract URL components
+* [Farsight DNSDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - Module to access Farsight DNSDB Passive DNS.
+* [GeoIP ASN Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) - Query a local copy of the Maxmind Geolite ASN database (MMDB format)
+* [GeoIP City Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) - An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.
+* [GeoIP Country Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - Query a local copy of Maxminds Geolite database, updated for MMDB format
+* [Google Safe Browsing Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_safe_browsing.py) - Google safe browsing expansion module
+* [Google Search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py) - An expansion hover module to expand google search information about an URL
+* [Google Threat Intelligence Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence.
+* [GreyNoise Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - Module to query IP and CVE information from GreyNoise
+* [Hashdd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - A hover module to check hashes against hashdd.com including NSLR dataset.
+* [CIRCL Hashlookup Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) - An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.
+* [Have I Been Pwned Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - Module to access haveibeenpwned.com API.
+* [HTML to Markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) - Expansion module to fetch the html content from an url and convert it into markdown.
+* [HYAS Insight Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) - HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
+* [Intel471 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) - Module to access Intel 471
+* [IP2Location.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py) - An expansion module to query IP2Location.io to gather more information on a given IP address.
+* [IPASN-History Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) - Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
+* [IPInfo.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py) - An expansion module to query ipinfo.io to gather more information on a given IP address.
+* [IPQualityScore Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py) - IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.
+* [IPRep Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) - Module to query IPRep data for IP addresses.
+* [Ninja Template Rendering](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/jinja_template_rendering.py) - Render the template with the data passed
+* [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
+* [Joe Sandbox Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) - A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission.
+* [Lastline Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-* [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations.
-* [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
-* [BTC scam check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused.
-* [BTC transactions](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
-* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
-* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
-* [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
-* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
-* [CVE](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
-* [CVE advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
-* [Cuckoo submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
-* [DBL Spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) - a hover module to check Spamhaus DBL for a domain name.
-* [DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
-* [docx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx-enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser).
-* [DomainTools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
-* [EUPI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
-* [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/)
-* [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
-* [GeoIP](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind.
-* [Google Threat Intelligence](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence.
-* [Greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise.
-* [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset.
-* [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned?
-* [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) - an expansion module to get info from [Intel471](https://intel471.com).
-* [IPASN](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
-* [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net.
-* [Joe Sandbox submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) - Submit files and URLs to Joe Sandbox.
-* [Joe Sandbox query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox with the link of an analysis and get the parsed data.
-* [macaddress.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
-* [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
-* [ocr-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr-enrich.py) - an enrichment module to get OCRized data from images into MISP.
-* [ods-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods-enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
-* [odt-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt-enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).
-* [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) - a modules to process queries on Onyphe.
-* [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) - a modules to process full queries on Onyphe.
-* [OTX](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) - an expansion module for [OTX](https://otx.alienvault.com/).
-* [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
-* [pdf-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf-enrich.py) - an enrichment module to extract text from PDF into MISP (using free-text parser).
-* [pptx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx-enrich.py) - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).
-* [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.
-* [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) - a module to get RBL (Real-Time Blackhost List) values from an attribute.
-* [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
-* [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) - an expansion module for [securitytrails](https://securitytrails.com/).
-* [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module.
-* [Sigma queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
-* [Sigma syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator.
-* [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
-* [STIX2 pattern syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax.
-* [ThreatCrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/).
-* [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/).
-* [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
-* [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
-* [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://docs.virustotal.com/reference/overview))
-* [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://docs.virustotal.com/reference/overview))
-* [VMray](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.
-* [VulnDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) - a module to query [VulnDB](https://www.riskbasedsecurity.com/).
-* [Vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) - an expansion module to expand information about CVEs using Vulners API.
-* [Vysion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py) - an expansion module to add dark web intelligence using Vysion API.
-* [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd).
-* [wikidata](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module.
-* [xforce](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module.
-* [xlsx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx-enrich.py) - an enrichment module to get text out of an Excel document into MISP (using free-text parser).
-* [YARA query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) - a module to create YARA rules from single hash attributes.
-* [YARA syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator.
+Query Lastline with an analysis link and parse the report into MISP attributes and objects.
+* [Lastline Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-### Export modules
+Module to submit a file or URL to Lastline.
+* [Macaddress.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) - MISP hover module for macaddress.io
+* [Macvendors Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) - Module to access Macvendors API.
+* [Malware Bazaar Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) - Query Malware Bazaar to get additional information about the input hash.
+* [McAfee MVISION Insights Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py) - Lookup McAfee MVISION Insights Details
+* [GeoIP Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) - A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.
+* [MWDB Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py) - Module to push malware samples to a MWDB instance
+* [OCR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) - Module to process some optical character recognition on pictures.
+* [ODS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) - Module to extract freetext from a .ods document.
+* [ODT Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) - Module to extract freetext from a .odt document.
+* [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) - Module to process a query on Onyphe.
+* [Onyphe Full Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) - Module to process a full query on Onyphe.
+* [AlienVault OTX Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) - Module to get information from AlienVault OTX.
+* [Passive SSH Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passive_ssh.py) - An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh
+* [PassiveTotal Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) - The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
+* [PDF Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) - Module to extract freetext from a PDF document.
+* [PPTX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) - Module to extract freetext from a .pptx document.
+* [Qintel QSentry Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py) - A hover and expansion module which queries Qintel QSentry for ip reputation data
+* [QR Code Decode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) - Module to decode QR codes.
+* [RandomcoinDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
+* [Real-time Blackhost Lists Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) - Module to check an IPv4 address against known RBLs.
+* [Recorded Future Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) - Module to enrich attributes with threat intelligence from Recorded Future.
+* [Reverse DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
+* [SecurityTrails Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) - An expansion modules for SecurityTrails.
+* [Shodan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) - Module to query on Shodan.
+* [Sigma Rule Converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) - An expansion hover module to display the result of sigma queries.
+* [Sigma Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) - An expansion hover module to perform a syntax check on sigma rules.
+* [SigMF Expansion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf_expand.py) - Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.
+* [Socialscan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) - A hover module to get information on the availability of an email address or username on some online platforms.
+* [SophosLabs Intelix Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) - An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.
+* [URL Archiver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) - Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.
+* [Stairwell Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py) - Module to query the Stairwell API to get additional information about the input hash attribute
+* [STIX2 Pattern Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - An expansion hover module to perform a syntax check on stix2 patterns.
+* [ThreatCrowd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) - Module to get information from ThreatCrowd.
+* [ThreadFox Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatfox.py) - Module to search for an IOC on ThreatFox by abuse.ch.
+* [ThreatMiner Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) - Module to get information from ThreatMiner.
+* [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) - Module to get enrich indicators with TruSTAR.
+* [URLhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) - Query of the URLhaus API to get additional information about the input attribute.
+* [URLScan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) - An expansion module to query urlscan.io.
+* [VARIoT db Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) - An expansion module to query the VARIoT db API for more information about a vulnerability.
+* [VirusTotal v3 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) - Enrich observables with the VirusTotal v3 API
+* [VirusTotal Public API Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) - Enrich observables with the VirusTotal v3 public API
+* [VMRay Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) - Module to submit a sample to VMRay.
+* [VMware NSX Defender Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) - Module to enrich a file or URL with VMware NSX Defender.
+* [VulnDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) - Module to query VulnDB (RiskBasedSecurity.com).
+* [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py) - An expansion module to query Vulnerability Lookup
+* [Vulners Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) - An expansion hover module to expand information about CVE id using Vulners API.
+* [Vysion Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py) - Module to enrich the information by making use of the Vysion API.
+* [Whois Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) - Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
+* [WhoisFreaks Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py) - An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
+* [Wikidata Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) - An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.
+* [IBM X-Force Exchange Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) - An expansion module for IBM X-Force Exchange.
+* [XLXS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) - Module to extract freetext from a .xlsx document.
+* [YARA Rule Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) - jj
+* [YARA Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
+* [Yeti Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py) - Module to process a query on Yeti.
 
-* [CEF](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) module to export Common Event Format (CEF).
-* [Cisco FireSight Manager ACL rule](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) module to export as rule for the Cisco FireSight manager ACL.
-* [GoAML export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html).
-* [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) module to export a lite event.
-* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query.
-* [PDF export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF.
-* [Nexthink query format](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format.
-* [osquery](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format.
-* [ThreatConnect](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) module to export in ThreatConnect CSV format.
-* [ThreatStream](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) module to export in ThreatStream format.
+### Export Modules
+* [CEF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) - Module to export a MISP event in CEF format.
+* [Cisco fireSIGHT blockrule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) - Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
+* [Microsoft Defender for Endpoint KQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py) - Defender for Endpoint KQL hunting query export module
+* [GoAML Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) - This module is used to export MISP events containing transaction objects into GoAML format.
+* [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) - Lite export of a MISP event.
+* [EQL Query Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) - Export MISP event in Event Query Language
+* [Nexthink NXQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) - Nexthink NXQL query export module
+* [OSQuery Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) - OSQuery export of a MISP event.
+* [Event to PDF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) - Simple export of a MISP event to PDF.
+* [ThreatStream Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) - Module to export a structured CSV file for uploading to threatStream.
+* [ThreadConnect Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) - Module to export a structured CSV file for uploading to ThreatConnect.
+* [VirusTotal Collections Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py) - Creates a VT Collection from an event iocs.
+* [VirusTotal Graph Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) - This module is used to create a VirusTotal Graph from a MISP event.
+* [YARA Rule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py) - This module is used to export MISP events to YARA.
 
-### Import modules
+### Import Modules
+* [PDNS COF Importer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py) - Passive DNS Common Output Format (COF) MISP importer
+* [CSV Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) - Module to import MISP attributes from a csv file.
+* [Cuckoo Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) - Module to import Cuckoo JSON.
+* [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) - Email import module for MISP
+* [GoAML Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) - Module to import MISP objects about financial transactions from GoAML files.
+* [Import Blueprint](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py) - Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
+* [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) - A module to import data from a Joe Sandbox analysis json report.
+* [Lastline Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-* [CSV import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) Customizable CSV import module.
-* [Cuckoo JSON](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) Cuckoo JSON import.
-* [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) Email import module for MISP to import basic metadata.
-* [GoAML import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
-* [Joe Sandbox import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) Parse data from a Joe Sandbox json report.
-* [OCR](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
-* [OpenIOC](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) OpenIOC import based on PyMISP library.
-* [ThreatAnalyzer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
-* [VMRay](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
+Module to import and parse reports from Lastline analysis links.
+* [MISP JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py) - Module to import MISP JSON format for merging MISP events.
+* [OCR Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) - Optical Character Recognition (OCR) module for MISP.
+* [OpenIOC Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) - Module to import OpenIOC packages.
+* [TAXII 2.1 Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py) - Import content from a TAXII 2.1 server
+* [ThreadAnalyzer Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) - Module to import ThreatAnalyzer archive.zip / analysis.json files.
+* [URL Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py) - Simple URL import tool with Faup
+* [VMRay API Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) - Module to import VMRay (VTI) results.
+* [VMRay Summary JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py) - Import a VMRay Summary JSON report.
+
+### Action Modules
+* [Mattermost](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/mattermost.py) - Simplistic module to send message to a Mattermost channel.
+* [Slack](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/slack.py) - Simplistic module to send messages to a Slack channel.
+* [Test action](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/testaction.py) - This module is merely a test, always returning true. Triggers on event publishing.
 
 
 ## How to contribute your own module?
@@ -117,6 +177,4 @@ For further information please see [Contribute](contribute/).
 
 
 ## Licenses
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%MISP%2Fmisp-modules.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FMISP%2Fmisp-modules?ref=badge_large)
-
 For further Information see also the [license file](license/).
diff --git a/docs/install.md b/docs/install.md
index 3eed0f49..1e72666d 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -1,9 +1,13 @@
-## How to install and start MISP modules (in a Python virtualenv)?
+## How to install and start MISP modules (in a Python virtualenv)? (recommended)
+
+***Be sure to run the latest version of `pip`***. To install the latest version of pip, `pip install --upgrade pip` will do the job.
 
 ~~~~bash
 SUDO_WWW="sudo -u www-data"
 
 sudo apt-get install -y \
+  python3-dev \
+  python3-pip \
   git \
   libpq5 \
   libjpeg-dev \
@@ -15,9 +19,10 @@ sudo apt-get install -y \
   libzbar0 \
   libzbar-dev \
   libfuzzy-dev \
-  libcaca-dev
+  libcaca-dev \
+  build-essential
 
-# BEGIN with virtualenv:   
+# BEGIN with virtualenv:
 $SUDO_WWW virtualenv -p python3 /var/www/MISP/venv
 # END with virtualenv
 
@@ -45,12 +50,12 @@ sudo ldconfig
 
 cd ../../misp-modules
 
-# BEGIN with virtualenv: 
+# BEGIN with virtualenv:
 $SUDO_WWW  /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
 $SUDO_WWW  /var/www/MISP/venv/bin/pip install .
 # END with virtualenv
 
-# BEGIN without virtualenv: 
+# BEGIN without virtualenv:
 sudo pip install -I -r REQUIREMENTS
 sudo pip install .
 # END without virtualenv
@@ -59,16 +64,18 @@ sudo pip install .
 sudo cp etc/systemd/system/misp-modules.service /etc/systemd/system/
 sudo systemctl daemon-reload
 sudo systemctl enable --now misp-modules
-/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
+sudo service misp-modules start  # or
+/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & # to start the modules manually
 ~~~~
 
 ## How to install and start MISP modules on RHEL-based distributions ?
 
-As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the SCL repository.
+As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository.
 
 ~~~~bash
 SUDO_WWW="sudo -u apache"
 sudo yum install \
+  rh-python36 \
   rh-ruby22 \
   openjpeg-devel \
   rubygem-rouge \
@@ -80,8 +87,8 @@ sudo yum install \
   poppler-cpp-devel \
   python-devel \
   redhat-rpm-config
-cd /usr/local/src/
-sudo git clone https://github.com/MISP/misp-modules.git
+cd /var/www/MISP
+$SUDO_WWW git clone https://github.com/MISP/misp-modules.git
 cd misp-modules
 $SUDO_WWW /usr/bin/scl enable rh-python36 "virtualenv -p python3 /var/www/MISP/venv"
 $SUDO_WWW /var/www/MISP/venv/bin/pip install -U -I -r REQUIREMENTS
@@ -99,7 +106,7 @@ After=misp-workers.service
 Type=simple
 User=apache
 Group=apache
-ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22  '/var/www/MISP/venv/bin/misp-modules –l 127.0.0.1 –s'
+ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22  '/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s'
 Restart=always
 RestartSec=10
 
@@ -107,8 +114,8 @@ RestartSec=10
 WantedBy=multi-user.target" | sudo tee /etc/systemd/system/misp-modules.service
 ~~~~
 
-The After=misp-workers.service must be changed or removed if you have not created a misp-workers service. Then, enable the misp-modules service and start it:
-
+The `After=misp-workers.service` must be changed or removed if you have not created a misp-workers service.
+Then, enable the misp-modules service and start it:
 ~~~~bash
 systemctl daemon-reload
 systemctl enable --now misp-modules
@@ -147,20 +154,20 @@ services:
   misp-modules:
     # https://hub.docker.com/r/dcso/misp-dockerized-misp-modules
     image: dcso/misp-dockerized-misp-modules:3
-    
+
     # Local image:
     #image: misp-modules
     #build:
     #  context: docker/
-    
+
     environment:
       # Redis
       REDIS_BACKEND: misp-redis
       REDIS_PORT: "6379"
       REDIS_DATABASE: "245"
       # System PROXY (OPTIONAL)
-      http_proxy: 
-      https_proxy: 
+      http_proxy:
+      https_proxy:
       no_proxy: 0.0.0.0
       # Timezone (OPTIONAL)
       TZ: Europe/Berlin
diff --git a/documentation/README.md b/documentation/README.md
index 77c598dd..9ed86f69 100644
--- a/documentation/README.md
+++ b/documentation/README.md
@@ -2,7 +2,19 @@
 
 ## Expansion Modules
 
-#### [apiosintds](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py)
+#### [Abuse IPDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/abuseipdb.py)
+
+AbuseIPDB MISP expansion module
+- **features**:
+>
+- **config**:
+> - api_key
+> - max_age_in_days
+> - abuse_threshold
+
+-----
+
+#### [OSINT DigitalSide](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py)
 
 On demand query API for OSINT.digitalside.it project.
 - **features**:
@@ -11,6 +23,13 @@ On demand query API for OSINT.digitalside.it project.
 >The result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.
 >
 >Furthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it
+- **config**:
+> - STIX2_details
+> - import_related
+> - cache
+> - cache_directory
+> - cache_timeout_h
+> - local_directory
 - **input**:
 >A domain, ip, url or hash attribute.
 - **output**:
@@ -22,7 +41,7 @@ On demand query API for OSINT.digitalside.it project.
 
 -----
 
-#### [apivoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py)
+#### [APIVoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py)
 
 <img src=logos/apivoid.png height=60>
 
@@ -31,6 +50,8 @@ Module to query APIVoid with some domain attributes.
 >This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.
 >
 >To make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.
+- **config**:
+>apikey
 - **input**:
 >A domain attribute.
 - **output**:
@@ -42,7 +63,7 @@ Module to query APIVoid with some domain attributes.
 
 -----
 
-#### [assemblyline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py)
+#### [AssemblyLine Query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py)
 
 <img src=logos/assemblyline.png height=60>
 
@@ -53,6 +74,12 @@ A module tu query the AssemblyLine API with a submission ID to get the submissio
 >The submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.
 >
 >Some more data may be parsed in the future.
+- **config**:
+> - apiurl
+> - user_id
+> - apikey
+> - password
+> - verifyssl
 - **input**:
 >Link of an AssemblyLine submission report.
 - **output**:
@@ -64,7 +91,7 @@ A module tu query the AssemblyLine API with a submission ID to get the submissio
 
 -----
 
-#### [assemblyline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py)
+#### [AssemblyLine Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py)
 
 <img src=logos/assemblyline.png height=60>
 
@@ -73,6 +100,12 @@ A module to submit samples and URLs to AssemblyLine for advanced analysis, and r
 >The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.
 >
 >If the sample or url is correctly submitted, you get then the link of the submission.
+- **config**:
+> - apiurl
+> - user_id
+> - apikey
+> - password
+> - verifyssl
 - **input**:
 >Sample, or url to submit to AssemblyLine.
 - **output**:
@@ -84,13 +117,15 @@ A module to submit samples and URLs to AssemblyLine for advanced analysis, and r
 
 -----
 
-#### [backscatter_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py)
+#### [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py)
 
 <img src=logos/backscatter_io.png height=60>
 
-Query backscatter.io (https://backscatter.io/).
+Backscatter.io module to bring mass-scanning observations into MISP.
 - **features**:
 >The module takes a source or destination IP address as input and displays the information known by backscatter.io.
+- **config**:
+>api_key
 - **input**:
 >IP addresses.
 - **output**:
@@ -102,9 +137,9 @@ Query backscatter.io (https://backscatter.io/).
 
 -----
 
-#### [bgpranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py)
+#### [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py)
 
-Query BGP Ranking (https://bgpranking-ng.circl.lu/).
+Query BGP Ranking to get the ranking of an Autonomous System number.
 - **features**:
 >The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.
 - **input**:
@@ -118,7 +153,7 @@ Query BGP Ranking (https://bgpranking-ng.circl.lu/).
 
 -----
 
-#### [btc_scam_check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py)
+#### [BTC Scam Check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py)
 
 <img src=logos/bitcoin.png height=60>
 
@@ -136,11 +171,13 @@ An expansion hover module to query a special dns blacklist to check if a bitcoin
 
 -----
 
-#### [btc_steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py)
+#### [BTC Steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py)
 
 <img src=logos/bitcoin.png height=60>
 
 An expansion hover module to get a blockchain balance from a BTC address in MISP.
+- **features**:
+>
 - **input**:
 >btc address attribute.
 - **output**:
@@ -148,11 +185,14 @@ An expansion hover module to get a blockchain balance from a BTC address in MISP
 
 -----
 
-#### [censys_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py)
+#### [Censys Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py)
 
 An expansion module to enrich attributes in MISP by quering the censys.io API
 - **features**:
 >This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API.
+- **config**:
+> - api_id
+> - api_secret
 - **input**:
 >IP, domain or certificate fingerprint (md5, sha1 or sha256)
 - **output**:
@@ -164,7 +204,7 @@ An expansion module to enrich attributes in MISP by quering the censys.io API
 
 -----
 
-#### [circl_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py)
+#### [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py)
 
 <img src=logos/passivedns.png height=60>
 
@@ -173,6 +213,9 @@ Module to access CIRCL Passive DNS.
 >This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects.
 >
 >To make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API.
+- **config**:
+> - username
+> - password
 - **input**:
 >Hostname, domain, or ip-address attribute.
 - **ouput**:
@@ -186,7 +229,7 @@ Module to access CIRCL Passive DNS.
 
 -----
 
-#### [circl_passivessl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py)
+#### [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py)
 
 <img src=logos/passivessl.png height=60>
 
@@ -195,6 +238,9 @@ Modules to access CIRCL Passive SSL.
 >This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects.
 >
 >To make it work a username and a password are required to authenticate to the CIRCL Passive SSL API.
+- **config**:
+> - username
+> - password
 - **input**:
 >IP address attribute.
 - **output**:
@@ -207,7 +253,17 @@ Modules to access CIRCL Passive SSL.
 
 -----
 
-#### [cluster25_expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py)
+#### [ClaamAV](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/clamav.py)
+
+Submit file to ClamAV
+- **features**:
+>
+- **config**:
+>connection
+
+-----
+
+#### [Cluster25 Expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py)
 
 <img src=logos/cluster25.png height=60>
 
@@ -215,6 +271,10 @@ Module to query Cluster25 CTI.
 - **features**:
 >This module takes a MISP attribute value as input to query the Cluster25CTI API. The result is then mapped into compatible MISP Objects and relative attributes.
 >
+- **config**:
+> - api_id
+> - apikey
+> - base_url
 - **input**:
 >An Indicator value of type included in the following list:
 >- domain
@@ -240,7 +300,7 @@ Module to query Cluster25 CTI.
 
 -----
 
-#### [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py)
+#### [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py)
 
 Module to expand country codes.
 - **features**:
@@ -254,7 +314,7 @@ Module to expand country codes.
 
 -----
 
-#### [cpe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py)
+#### [CPE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py)
 
 <img src=logos/cve.png height=60>
 
@@ -266,6 +326,9 @@ An expansion module to query the CVE search API with a cpe code to get its relat
 >Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.
 >
 >In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
+- **config**:
+> - custom_API_URL
+> - limit
 - **input**:
 >CPE attribute.
 - **output**:
@@ -275,13 +338,15 @@ An expansion module to query the CVE search API with a cpe code to get its relat
 
 -----
 
-#### [crowdsec](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py)
+#### [CrowdSec CTI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py)
 
 <img src=logos/crowdsec.png height=60>
 
 Hover module to lookup an IP in CrowdSec's CTI
 - **features**:
 >This module enables IP lookup from CrowdSec CTI API. It provides information about the IP, such as what kind of attacks it has been participant of as seen by CrowdSec's network. It also includes enrichment by CrowdSec like background noise score, aggressivity over time etc.
+- **config**:
+>api_key
 - **input**:
 >An IP address.
 - **output**:
@@ -295,15 +360,18 @@ Hover module to lookup an IP in CrowdSec's CTI
 
 -----
 
-#### [crowdstrike_falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py)
+#### [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py)
 
 <img src=logos/crowdstrike.png height=60>
 
-Module to query Crowdstrike Falcon.
+Module to query CrowdStrike Falcon.
 - **features**:
 >This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.
 >
 >Please note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported.
+- **config**:
+> - api_id
+> - apikey
 - **input**:
 >A MISP attribute included in the following list:
 >- domain
@@ -349,14 +417,17 @@ Module to query Crowdstrike Falcon.
 
 -----
 
-#### [cuckoo_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py)
+#### [Cuckoo Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py)
 
 <img src=logos/cuckoo.png height=60>
 
-An expansion module to submit files and URLs to Cuckoo Sandbox.
+Submit files and URLs to Cuckoo Sandbox
 - **features**:
 >The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.
 > The returned task id can be used to retrieve results when the analysis completed.
+- **config**:
+> - api_url
+> - api_key
 - **input**:
 >A malware-sample or attachment for files. A url or domain for URLs.
 - **output**:
@@ -369,13 +440,15 @@ An expansion module to submit files and URLs to Cuckoo Sandbox.
 
 -----
 
-#### [cve](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)
+#### [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)
 
 <img src=logos/cve.png height=60>
 
 An expansion hover module to expand information about CVE id.
 - **features**:
 >The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs.
+- **config**:
+>custom_API
 - **input**:
 >Vulnerability attribute.
 - **output**:
@@ -386,7 +459,7 @@ An expansion hover module to expand information about CVE id.
 
 -----
 
-#### [cve_advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py)
+#### [CVE Advanced Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py)
 
 <img src=logos/cve.png height=60>
 
@@ -397,6 +470,8 @@ An expansion module to query the CIRCL CVE search API for more information about
 >The result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.
 >
 >The vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects.
+- **config**:
+>custom_API
 - **input**:
 >Vulnerability attribute.
 - **output**:
@@ -407,13 +482,28 @@ An expansion module to query the CIRCL CVE search API for more information about
 
 -----
 
-#### [cytomic_orion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py)
+#### [Cytomic Orion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py)
 
 <img src=logos/cytomic_orion.png height=60>
 
 An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
 - **features**:
 >This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines.
+- **config**:
+> - api_url
+> - token_url
+> - clientid
+> - clientsecret
+> - clientsecret
+> - username
+> - password
+> - upload_timeframe
+> - upload_tag
+> - delete_tag
+> - upload_ttlDays
+> - upload_threat_level_id
+> - limit_upload_events
+> - limit_upload_attributes
 - **input**:
 >MD5, hash of the sample / malware to search for.
 - **output**:
@@ -426,11 +516,11 @@ An expansion module to enrich attributes in MISP by quering the Cytomic Orion AP
 
 -----
 
-#### [dbl_spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py)
+#### [DBL Spamhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py)
 
 <img src=logos/spamhaus.jpg height=60>
 
-Module to check Spamhaus DBL for a domain name.
+Checks Spamhaus DBL for a domain name.
 - **features**:
 >This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is.
 >
@@ -448,15 +538,17 @@ Module to check Spamhaus DBL for a domain name.
 
 -----
 
-#### [dns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)
+#### [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)
 
-A simple DNS expansion service to resolve IP address from domain MISP attributes.
+jj
 - **features**:
 >The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed.
 >
 >The address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).
 >
 >Please note that composite MISP attributes containing domain or hostname are supported as well.
+- **config**:
+>nameserver
 - **input**:
 >Domain or hostname attribute.
 - **output**:
@@ -466,7 +558,7 @@ A simple DNS expansion service to resolve IP address from domain MISP attributes
 
 -----
 
-#### [docx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py)
+#### [DOCX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py)
 
 <img src=logos/docx.png height=60>
 
@@ -482,7 +574,7 @@ Module to extract freetext from a .docx document.
 
 -----
 
-#### [domaintools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py)
+#### [DomainTools Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py)
 
 <img src=logos/domaintools.png height=60>
 
@@ -491,6 +583,9 @@ DomainTools MISP expansion module.
 >This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.
 >
 >Please note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported.
+- **config**:
+> - username
+> - api_key
 - **input**:
 >A MISP attribute included in the following list:
 >- domain
@@ -520,7 +615,7 @@ DomainTools MISP expansion module.
 
 -----
 
-#### [eql](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py)
+#### [EQL Query Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py)
 
 <img src=logos/eql.png height=60>
 
@@ -536,7 +631,7 @@ EQL query generation for a MISP attribute.
 
 -----
 
-#### [eupi](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py)
+#### [EUPI Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py)
 
 <img src=logos/eupi.png height=60>
 
@@ -545,6 +640,9 @@ A module to query the Phishing Initiative service (https://phishing-initiative.l
 >This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried.
 >
 >Please note that composite attributes containing domain or hostname are also supported.
+- **config**:
+> - apikey
+> - url
 - **input**:
 >A domain, hostname or url MISP attribute.
 - **output**:
@@ -557,7 +655,15 @@ A module to query the Phishing Initiative service (https://phishing-initiative.l
 
 -----
 
-#### [farsight_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py)
+#### [URL Components Extractor](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/extract_url_components.py)
+
+Extract URL components
+- **features**:
+>
+
+-----
+
+#### [Farsight DNSDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py)
 
 <img src=logos/farsight.png height=60>
 
@@ -569,6 +675,11 @@ Module to access Farsight DNSDB Passive DNS.
 >An API key is required to submit queries to the API.
 >  It is also possible to define a custom server URL, and to set a limit of results to get.
 >  This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit).
+- **config**:
+> - apikey
+> - server
+> - limit
+> - flex_queries
 - **input**:
 >A domain, hostname or IP address MISP attribute.
 - **output**:
@@ -581,13 +692,17 @@ Module to access Farsight DNSDB Passive DNS.
 
 -----
 
-#### [geoip_asn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py)
+#### [GeoIP ASN Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py)
 
 <img src=logos/maxmind.png height=60>
-- **descrption**:
->An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.
+
+Query a local copy of the Maxmind Geolite ASN database (MMDB format)
 - **features**:
 >The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number.
+- **config**:
+>local_geolite_db
+- **descrption**:
+>An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -599,13 +714,15 @@ Module to access Farsight DNSDB Passive DNS.
 
 -----
 
-#### [geoip_city](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py)
+#### [GeoIP City Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py)
 
 <img src=logos/maxmind.png height=60>
 
 An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.
 - **features**:
 >The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located.
+- **config**:
+>local_geolite_db
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -617,15 +734,17 @@ An expansion module to query a local copy of Maxmind's Geolite database with an
 
 -----
 
-#### [geoip_country](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py)
+#### [GeoIP Country Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py)
 
 <img src=logos/maxmind.png height=60>
 
-Module to query a local copy of Maxmind's Geolite database.
+Query a local copy of Maxminds Geolite database, updated for MMDB format
 - **features**:
 >This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address.
 >
 >Please note that composite attributes domain|ip are also supported.
+- **config**:
+>local_geolite_db
 - **input**:
 >An IP address MISP Attribute.
 - **output**:
@@ -637,11 +756,21 @@ Module to query a local copy of Maxmind's Geolite database.
 
 -----
 
-#### [google_search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py)
+#### [Google Safe Browsing Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_safe_browsing.py)
+
+Google safe browsing expansion module
+- **features**:
+>
+- **config**:
+>api_key
+
+-----
+
+#### [Google Search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py)
 
 <img src=logos/google.png height=60>
-- **descrption**:
->A hover module to get information about an url using a Google search.
+
+An expansion hover module to expand google search information about an URL
 - **features**:
 >The module takes an url as input to query the Google search API. The result of the query is then return as raw text.
 - **input**:
@@ -655,7 +784,7 @@ Module to query a local copy of Maxmind's Geolite database.
 
 -----
 
-#### [google_threat_intelligence](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py)
+#### [Google Threat Intelligence Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py)
 
 <img src=logos/google_threat_intelligence.png height=60>
 
@@ -664,6 +793,13 @@ An expansion module to have the observable's threat score assessed by Google Thr
 >GTI assessment for the given observable, this include information about level of severity, a clear verdict (malicious, suspicious, undetected and benign) and additional information provided by the Mandiant expertise combined with the VirusTotal database.
 >
 >[Output example screeshot](https://github.com/MISP/MISP/assets/4747608/e275db2f-bb1e-4413-8cc0-ec3cb05e0414)
+- **config**:
+> - apikey
+> - event_limit
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.
 - **output**:
@@ -676,13 +812,16 @@ An expansion module to have the observable's threat score assessed by Google Thr
 
 -----
 
-#### [greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py)
+#### [GreyNoise Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py)
 
 <img src=logos/greynoise.png height=60>
 
 Module to query IP and CVE information from GreyNoise
 - **features**:
 >This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days.
+- **config**:
+> - api_key
+> - api_type
 - **input**:
 >An IP address or CVE ID
 - **output**:
@@ -696,7 +835,7 @@ Module to query IP and CVE information from GreyNoise
 
 -----
 
-#### [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py)
+#### [Hashdd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py)
 
 A hover module to check hashes against hashdd.com including NSLR dataset.
 - **features**:
@@ -710,7 +849,7 @@ A hover module to check hashes against hashdd.com including NSLR dataset.
 
 -----
 
-#### [hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py)
+#### [CIRCL Hashlookup Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py)
 
 <img src=logos/circl.png height=60>
 
@@ -720,6 +859,8 @@ An expansion module to query the CIRCL hashlookup services to find it if a hash
 > It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.
 > The module can be used an hover module but also an expansion model to add related MISP objects.
 >
+- **config**:
+>custom_API
 - **input**:
 >File hashes (MD5, SHA1)
 - **output**:
@@ -729,13 +870,15 @@ An expansion module to query the CIRCL hashlookup services to find it if a hash
 
 -----
 
-#### [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py)
+#### [Have I Been Pwned Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py)
 
 <img src=logos/hibp.png height=60>
 
 Module to access haveibeenpwned.com API.
 - **features**:
 >The module takes an email address as input and queries haveibeenpwned.com API to find additional information about it. This additional information actually tells if any account using the email address has already been compromised in a data breach.
+- **config**:
+>api_key
 - **input**:
 >An email address
 - **output**:
@@ -745,7 +888,7 @@ Module to access haveibeenpwned.com API.
 
 -----
 
-#### [html_to_markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py)
+#### [HTML to Markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py)
 
 Expansion module to fetch the html content from an url and convert it into markdown.
 - **features**:
@@ -759,7 +902,7 @@ Expansion module to fetch the html content from an url and convert it into markd
 
 -----
 
-#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
+#### [HYAS Insight Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
 
 <img src=logos/hyas.png height=60>
 
@@ -770,6 +913,8 @@ HYAS Insight integration to MISP provides direct, high volume access to HYAS Ins
 >
 >An API key is required to submit queries to the HYAS Insight API.
 >
+- **config**:
+>apikey
 - **input**:
 >A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)
 - **output**:
@@ -781,13 +926,18 @@ HYAS Insight integration to MISP provides direct, high volume access to HYAS Ins
 
 -----
 
-#### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
+#### [Intel471 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
 
 <img src=logos/intel471.png height=60>
-- **descrption**:
->An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.
+
+Module to access Intel 471
 - **features**:
 >The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it.
+- **config**:
+> - email
+> - authkey
+- **descrption**:
+>An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.
 - **input**:
 >A MISP attribute whose type is included in the following list:
 >- hostname
@@ -812,29 +962,7 @@ HYAS Insight integration to MISP provides direct, high volume access to HYAS Ins
 
 -----
 
-#### [intelmq_eventdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intelmq_eventdb.py)
-
-<img src=logos/intelmq.png height=60>
-
-Module to access intelmqs eventdb.
-- **features**:
->/!\ EXPERIMENTAL MODULE, some features may not work /!\
->
->This module takes a domain, hostname, IP address or Autonomous system MISP attribute as input to query the IntelMQ database. The result of the query gives then additional information about the input.
-- **input**:
->A hostname, domain, IP address or AS attribute.
-- **output**:
->Text giving information about the input using IntelMQ database.
-- **references**:
-> - https://github.com/certtools/intelmq
-> - https://intelmq.readthedocs.io/en/latest/Developers-Guide/
-- **requirements**:
-> - psycopg2: Python library to support PostgreSQL
-> - An access to the IntelMQ database (username, password, hostname and database reference)
-
------
-
-#### [ip2locationio](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py)
+#### [IP2Location.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py)
 
 <img src=logos/ip2locationio.png height=60>
 
@@ -845,6 +973,8 @@ An expansion module to query IP2Location.io to gather more information on a give
 > Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan. 
 >
 >More information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation).
+- **config**:
+>key
 - **input**:
 >IP address attribute.
 - **output**:
@@ -856,7 +986,7 @@ An expansion module to query IP2Location.io to gather more information on a give
 
 -----
 
-#### [ipasn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py)
+#### [IPASN-History Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py)
 
 Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
 - **features**:
@@ -872,7 +1002,7 @@ Module to query an IP ASN history service (https://github.com/D4-project/IPASN-H
 
 -----
 
-#### [ipinfo](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py)
+#### [IPInfo.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py)
 
 <img src=logos/ipinfo.png height=60>
 
@@ -886,6 +1016,8 @@ An expansion module to query ipinfo.io to gather more information on a given IP
 >- With a paid subscription, the AS information is returned in the `asn` field with additional AS information, and depending on which plan the user has, you can also get information on the privacy method used to protect the IP address, the related domains, or the point of contact related to the IP address in case of an abuse.
 >
 >More information on the responses content is available in the [documentation](https://ipinfo.io/developers).
+- **config**:
+>token
 - **input**:
 >IP address attribute.
 - **output**:
@@ -897,7 +1029,7 @@ An expansion module to query ipinfo.io to gather more information on a given IP
 
 -----
 
-#### [ipqs_fraud_and_risk_scoring](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py)
+#### [IPQualityScore Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py)
 
 <img src=logos/ipqualityscore.png height=60>
 
@@ -906,6 +1038,8 @@ IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone
 >This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.
 > The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. 
 > The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore.
+- **config**:
+>apikey
 - **input**:
 >A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).
 - **output**:
@@ -917,11 +1051,13 @@ IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone
 
 -----
 
-#### [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py)
+#### [IPRep Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py)
 
 Module to query IPRep data for IP addresses.
 - **features**:
 >This module takes an IP address attribute as input and queries the database from packetmail.net to get some information about the reputation of the IP.
+- **config**:
+>apikey
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -933,13 +1069,19 @@ Module to query IPRep data for IP addresses.
 
 -----
 
-#### [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py)
+#### [Ninja Template Rendering](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/jinja_template_rendering.py)
+
+Render the template with the data passed
+- **features**:
+>
+
+-----
+
+#### [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py)
 
 <img src=logos/joesandbox.png height=60>
 
 Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
-
-This url can by the way come from the result of the [joesandbox_submit expansion module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py).
 - **features**:
 >Module using the new format of modules able to return attributes and objects.
 >
@@ -948,6 +1090,11 @@ This url can by the way come from the result of the [joesandbox_submit expansion
 >Even if the introspection will allow all kinds of links to call this module, obviously only the ones presenting a sample or url submission in the Joe Sandbox API will return results.
 >
 >To make it work you will need to fill the 'apikey' configuration with your Joe Sandbox API key and provide a valid link as input.
+- **config**:
+> - apiurl
+> - apikey
+> - import_executable
+> - import_mitre_attack
 - **input**:
 >Link of a Joe Sandbox sample or url submission.
 - **output**:
@@ -960,7 +1107,7 @@ This url can by the way come from the result of the [joesandbox_submit expansion
 
 -----
 
-#### [joesandbox_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py)
+#### [Joe Sandbox Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py)
 
 <img src=logos/joesandbox.png height=60>
 
@@ -969,6 +1116,12 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
 >The module requires a Joe Sandbox API key to submit files or URL, and returns the link of the submitted analysis.
 >
 >It is then possible, when the analysis is completed, to query the Joe Sandbox API to get the data related to the analysis, using the [joesandbox_query module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) directly on this submission link.
+- **config**:
+> - apiurl
+> - apikey
+> - accept-tac
+> - report-cache
+> - systems
 - **input**:
 >Sample, url (or domain) to submit to Joe Sandbox for an advanced analysis.
 - **output**:
@@ -981,18 +1134,21 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
 
 -----
 
-#### [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py)
+#### [Lastline Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py)
 
 <img src=logos/lastline.png height=60>
 
 Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
 Query Lastline with an analysis link and parse the report into MISP attributes and objects.
-The analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) expansion module.
 - **features**:
 >The module requires a Lastline Portal `username` and `password`.
 >The module uses the new format and it is able to return MISP attributes and objects.
 >The module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) import module.
+- **config**:
+> - username
+> - password
+> - verify_ssl
 - **input**:
 >Link to a Lastline analysis.
 - **output**:
@@ -1002,7 +1158,7 @@ The analysis link can also be retrieved from the output of the [lastline_submit]
 
 -----
 
-#### [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py)
+#### [Lastline Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py)
 
 <img src=logos/lastline.png height=60>
 
@@ -1012,6 +1168,10 @@ Module to submit a file or URL to Lastline.
 - **features**:
 >The module requires a Lastline Analysis `api_token` and `key`.
 >When the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) module.
+- **config**:
+> - url
+> - api_token
+> - key
 - **input**:
 >File or URL to submit to Lastline.
 - **output**:
@@ -1021,7 +1181,7 @@ Module to submit a file or URL to Lastline.
 
 -----
 
-#### [macaddress_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py)
+#### [Macaddress.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py)
 
 <img src=logos/macaddress_io.png height=60>
 
@@ -1033,6 +1193,8 @@ MISP hover module for macaddress.io
 >- MAC address details
 >- Vendor details
 >- Block details
+- **config**:
+>api_key
 - **input**:
 >MAC address MISP attribute.
 - **output**:
@@ -1046,13 +1208,15 @@ MISP hover module for macaddress.io
 
 -----
 
-#### [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py)
+#### [Macvendors Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py)
 
 <img src=logos/macvendors.png height=60>
 
 Module to access Macvendors API.
 - **features**:
 >The module takes a MAC address as input and queries macvendors.com for some information about it. The API returns the name of the vendor related to the address.
+- **config**:
+>user-agent
 - **input**:
 >A MAC address.
 - **output**:
@@ -1063,9 +1227,9 @@ Module to access Macvendors API.
 
 -----
 
-#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py)
+#### [Malware Bazaar Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py)
 
-Query the MALWAREbazaar API to get additional information about the input hash attribute.
+Query Malware Bazaar to get additional information about the input hash.
 - **features**:
 >The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.
 >
@@ -1079,7 +1243,19 @@ Query the MALWAREbazaar API to get additional information about the input hash a
 
 -----
 
-#### [mmdb_lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py)
+#### [McAfee MVISION Insights Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py)
+
+Lookup McAfee MVISION Insights Details
+- **features**:
+>
+- **config**:
+> - api_key
+> - client_id
+> - client_secret
+
+-----
+
+#### [GeoIP Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py)
 
 <img src=logos/circl.png height=60>
 
@@ -1088,6 +1264,9 @@ A hover and expansion module to enrich an ip with geolocation and ASN informatio
 >The module takes an IP address related attribute as input.
 > It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required.
 > It is also possible to filter results on 1 db_source by configuring db_source_filter.
+- **config**:
+> - custom_API
+> - db_source_filter
 - **input**:
 >An IP address attribute (for example ip-src or ip-src|port).
 - **output**:
@@ -1098,11 +1277,18 @@ A hover and expansion module to enrich an ip with geolocation and ASN informatio
 
 -----
 
-#### [mwdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py)
+#### [MWDB Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py)
 
 Module to push malware samples to a MWDB instance
 - **features**:
 >An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute.  * A link to the MWDB attribute is added as an enrichted attribute to the MISP event.
+- **config**:
+> - mwdb_apikey
+> - mwdb_url
+> - mwdb_misp_attribute
+> - mwdb_public
+> - include_tags_event
+> - include_tags_attribute
 - **input**:
 >Attachment or malware sample
 - **output**:
@@ -1112,7 +1298,7 @@ Module to push malware samples to a MWDB instance
 
 -----
 
-#### [ocr_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py)
+#### [OCR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py)
 
 Module to process some optical character recognition on pictures.
 - **features**:
@@ -1126,7 +1312,7 @@ Module to process some optical character recognition on pictures.
 
 -----
 
-#### [ods_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py)
+#### [ODS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py)
 
 <img src=logos/ods.png height=60>
 
@@ -1143,7 +1329,7 @@ Module to extract freetext from a .ods document.
 
 -----
 
-#### [odt_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py)
+#### [ODT Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py)
 
 <img src=logos/odt.png height=60>
 
@@ -1159,13 +1345,15 @@ Module to extract freetext from a .odt document.
 
 -----
 
-#### [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py)
+#### [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py)
 
 <img src=logos/onyphe.jpg height=60>
 
 Module to process a query on Onyphe.
 - **features**:
 >This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or IP address MISP attribute.
 - **output**:
@@ -1179,7 +1367,7 @@ Module to process a query on Onyphe.
 
 -----
 
-#### [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py)
+#### [Onyphe Full Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py)
 
 <img src=logos/onyphe.jpg height=60>
 
@@ -1188,6 +1376,8 @@ Module to process a full query on Onyphe.
 >This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.
 >
 >The parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or IP address MISP attribute.
 - **output**:
@@ -1201,13 +1391,15 @@ Module to process a full query on Onyphe.
 
 -----
 
-#### [otx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py)
+#### [AlienVault OTX Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py)
 
 <img src=logos/otx.png height=60>
 
 Module to get information from AlienVault OTX.
 - **features**:
 >This module takes a MISP attribute as input to query the OTX Alienvault API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.
+- **config**:
+>apikey
 - **input**:
 >A MISP attribute included in the following list:
 >- hostname
@@ -1236,32 +1428,28 @@ Module to get information from AlienVault OTX.
 
 -----
 
-#### [passivessh](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivessh.py)
+#### [Passive SSH Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passive_ssh.py)
 
-<img src=logos/passivessh.png height=60>
-
-An expansion module to query the CIRCL Passive SSH.
+An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh
 - **features**:
->The module queries the Passive SSH service from CIRCL.
-> 
-> The module can be used an hover module but also an expansion model to add related MISP objects.
 >
-- **input**:
->IP addresses or SSH fingerprints
-- **output**:
->SSH key materials, complementary IP addresses with similar SSH key materials
-- **references**:
->https://github.com/D4-project/passive-ssh
+- **config**:
+> - custom_api_url
+> - api_user
+> - api_key
 
 -----
 
-#### [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py)
+#### [PassiveTotal Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py)
 
 <img src=logos/passivetotal.png height=60>
 
-
+The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
 - **features**:
 >The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
+- **config**:
+> - username
+> - api_key
 - **input**:
 >A MISP attribute included in the following list:
 >- hostname
@@ -1306,7 +1494,7 @@ An expansion module to query the CIRCL Passive SSH.
 
 -----
 
-#### [pdf_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py)
+#### [PDF Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py)
 
 <img src=logos/pdf.jpg height=60>
 
@@ -1322,7 +1510,7 @@ Module to extract freetext from a PDF document.
 
 -----
 
-#### [pptx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py)
+#### [PPTX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py)
 
 <img src=logos/pptx.png height=60>
 
@@ -1338,13 +1526,16 @@ Module to extract freetext from a .pptx document.
 
 -----
 
-#### [qintel_qsentry](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py)
+#### [Qintel QSentry Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py)
 
 <img src=logos/qintel.png height=60>
 
 A hover and expansion module which queries Qintel QSentry for ip reputation data
 - **features**:
 >This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data
+- **config**:
+> - token
+> - remote
 - **input**:
 >ip address attribute
 - **ouput**:
@@ -1356,7 +1547,7 @@ A hover and expansion module which queries Qintel QSentry for ip reputation data
 
 -----
 
-#### [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py)
+#### [QR Code Decode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py)
 
 Module to decode QR codes.
 - **features**:
@@ -1371,13 +1562,17 @@ Module to decode QR codes.
 
 -----
 
-#### [ransomcoindb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py)
-- **descrption**:
->Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.
+#### [RandomcoinDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py)
+
+Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
 - **features**:
 >The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data.
 >
 >If the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes.
+- **config**:
+>api-key
+- **descrption**:
+>Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.
 - **input**:
 >A hash (md5, sha1 or sha256) or btc attribute.
 - **output**:
@@ -1389,13 +1584,15 @@ Module to decode QR codes.
 
 -----
 
-#### [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py)
+#### [Real-time Blackhost Lists Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py)
 
 Module to check an IPv4 address against known RBLs.
 - **features**:
 >This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.
 >
 >We display then all the information we get from those different sources.
+- **config**:
+>timeout
 - **input**:
 >IP address attribute.
 - **output**:
@@ -1407,13 +1604,19 @@ Module to check an IPv4 address against known RBLs.
 
 -----
 
-#### [recordedfuture](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py)
+#### [Recorded Future Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py)
 
 <img src=logos/recordedfuture.png height=60>
 
 Module to enrich attributes with threat intelligence from Recorded Future.
 - **features**:
 >Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes.
+- **config**:
+> - token
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.
 - **output**:
@@ -1425,7 +1628,7 @@ Module to enrich attributes with threat intelligence from Recorded Future.
 
 -----
 
-#### [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py)
+#### [Reverse DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py)
 
 Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
 - **features**:
@@ -1434,6 +1637,8 @@ Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes
 >The address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).
 >
 >Please note that composite MISP attributes containing IP addresses are supported as well.
+- **config**:
+>nameserver
 - **input**:
 >An IP address attribute.
 - **output**:
@@ -1443,7 +1648,7 @@ Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes
 
 -----
 
-#### [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py)
+#### [SecurityTrails Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py)
 
 <img src=logos/securitytrails.png height=60>
 
@@ -1454,6 +1659,8 @@ An expansion modules for SecurityTrails.
 >Multiple parsing operations are then processed on the result of the query to extract a much information as possible.
 >
 >From this data extracted are then mapped MISP attributes.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or IP address attribute.
 - **output**:
@@ -1477,13 +1684,15 @@ An expansion modules for SecurityTrails.
 
 -----
 
-#### [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py)
+#### [Shodan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py)
 
 <img src=logos/shodan.png height=60>
 
 Module to query on Shodan.
 - **features**:
 >The module takes an IP address as input and queries the Shodan API to get some additional data about it.
+- **config**:
+>apikey
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -1496,7 +1705,7 @@ Module to query on Shodan.
 
 -----
 
-#### [sigma_queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py)
+#### [Sigma Rule Converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py)
 
 <img src=logos/sigma.png height=60>
 
@@ -1514,7 +1723,7 @@ An expansion hover module to display the result of sigma queries.
 
 -----
 
-#### [sigma_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py)
+#### [Sigma Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py)
 
 <img src=logos/sigma.png height=60>
 
@@ -1535,25 +1744,15 @@ An expansion hover module to perform a syntax check on sigma rules.
 
 -----
 
-#### [sigmf-expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf-expand.py)
+#### [SigMF Expansion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf_expand.py)
 
-Enrichs a SigMF Recording or extracts a SigMF Archive into a SigMF Recording.
+Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.
 - **features**:
->This module can be used to expand a SigMF Recording object into a SigMF Expanded Recording object with a waterfall plot or to extract a SigMF Archive object into a SigMF Recording objet.
-- **input**:
->Object of sigmf-archive or sigmf-recording template.
-- **output**:
->Object of sigmf-expanded-recording or sigmf-recording template.
-- **references**:
->https://github.com/sigmf/SigMF
-- **requirements**:
-> - matplotlib: For plotting the waterfall plot of the recording.
-> - numpy: For the waterfall plot of the recording.
-> - sigmf: For validating SigMF files.
+>
 
 -----
 
-#### [socialscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py)
+#### [Socialscan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py)
 
 A hover module to get information on the availability of an email address or username on some online platforms.
 - **features**:
@@ -1569,13 +1768,16 @@ A hover module to get information on the availability of an email address or use
 
 -----
 
-#### [sophoslabs_intelix](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py)
+#### [SophosLabs Intelix Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py)
 
 <img src=logos/sophoslabs_intelix.svg height=60>
 
 An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.
 - **features**:
 >The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object.
+- **config**:
+> - client_id
+> - client_secret
 - **input**:
 >An ip address, url, domain or sha256 attribute.
 - **output**:
@@ -1587,11 +1789,13 @@ An expansion module to query the Sophoslabs intelix API to get additional inform
 
 -----
 
-#### [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py)
+#### [URL Archiver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py)
 
 Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.
 - **features**:
 >This module takes a link or url attribute as input and caches the related web page. It returns then a link of the cached page.
+- **config**:
+>archivepath
 - **input**:
 >A link or url attribute.
 - **output**:
@@ -1603,13 +1807,15 @@ Module to cache web pages of analysis reports, OSINT sources. The module returns
 
 -----
 
-#### [stairwell](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py)
+#### [Stairwell Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py)
 
 <img src=logos/stairwell.png height=60>
 
 Module to query the Stairwell API to get additional information about the input hash attribute
 - **features**:
 >The module takes a hash attribute as input and queries Stariwell's API to fetch additional data about it. The result, if the payload is observed in Stariwell, is a file object describing the file the input hash is related to.
+- **config**:
+>apikey
 - **input**:
 >A hash attribute (md5, sha1, sha256).
 - **output**:
@@ -1622,7 +1828,7 @@ Module to query the Stairwell API to get additional information about the input
 
 -----
 
-#### [stix2_pattern_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py)
+#### [STIX2 Pattern Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py)
 
 <img src=logos/stix.png height=60>
 
@@ -1642,7 +1848,7 @@ An expansion hover module to perform a syntax check on stix2 patterns.
 
 -----
 
-#### [threatcrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py)
+#### [ThreatCrowd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py)
 
 <img src=logos/threatcrowd.png height=60>
 
@@ -1679,7 +1885,15 @@ Module to get information from ThreatCrowd.
 
 -----
 
-#### [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py)
+#### [ThreadFox Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatfox.py)
+
+Module to search for an IOC on ThreatFox by abuse.ch.
+- **features**:
+>
+
+-----
+
+#### [ThreatMiner Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py)
 
 <img src=logos/threatminer.png height=60>
 
@@ -1719,7 +1933,7 @@ Module to get information from ThreatMiner.
 
 -----
 
-#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py)
+#### [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py)
 
 <img src=logos/trustar.png height=60>
 
@@ -1728,6 +1942,10 @@ Module to get enrich indicators with TruSTAR.
 >This module enriches MISP attributes with scoring and metadata from TruSTAR.
 >
 >The TruSTAR indicator summary is appended to the attributes along with links to any associated reports.
+- **config**:
+> - user_api_key
+> - user_api_secret
+> - enclave_ids
 - **input**:
 >Any of the following MISP attributes:
 >- btc
@@ -1748,7 +1966,7 @@ Module to get enrich indicators with TruSTAR.
 
 -----
 
-#### [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py)
+#### [URLhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py)
 
 <img src=logos/urlhaus.png height=60>
 
@@ -1766,7 +1984,7 @@ Query of the URLhaus API to get additional information about the input attribute
 
 -----
 
-#### [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py)
+#### [URLScan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py)
 
 <img src=logos/urlscan.jpg height=60>
 
@@ -1775,6 +1993,8 @@ An expansion module to query urlscan.io.
 >This module takes a MISP attribute as input and queries urlscan.io with it.
 >
 >The result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or url attribute.
 - **output**:
@@ -1786,7 +2006,7 @@ An expansion module to query urlscan.io.
 
 -----
 
-#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
+#### [VARIoT db Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
 
 <img src=logos/variot.png height=60>
 
@@ -1797,6 +2017,8 @@ An expansion module to query the VARIoT db API for more information about a vuln
 >The `vuln` endpoint is queried first to look for additional information about the vulnerability itself.
 >
 >The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template.
+- **config**:
+>API_key
 - **input**:
 >Vulnerability attribute.
 - **output**:
@@ -1808,11 +2030,11 @@ An expansion module to query the VARIoT db API for more information about a vuln
 
 -----
 
-#### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
+#### [VirusTotal v3 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
 
 <img src=logos/virustotal.png height=60>
 
-Module to get advanced information from virustotal.
+Enrich observables with the VirusTotal v3 API
 - **features**:
 >New format of modules able to return attributes and objects.
 >
@@ -1821,6 +2043,13 @@ Module to get advanced information from virustotal.
 >Compared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal_public.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.
 >
 >Thus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them.
+- **config**:
+> - apikey
+> - event_limit
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.
 - **output**:
@@ -1833,11 +2062,11 @@ Module to get advanced information from virustotal.
 
 -----
 
-#### [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py)
+#### [VirusTotal Public API Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py)
 
 <img src=logos/virustotal.png height=60>
 
-Module to get information from VirusTotal.
+Enrich observables with the VirusTotal v3 public API
 - **features**:
 >New format of modules able to return attributes and objects.
 >
@@ -1846,6 +2075,12 @@ Module to get information from VirusTotal.
 >Compared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.
 >
 >Thus, it only queries the API once and returns the results that is parsed into MISP attributes and objects.
+- **config**:
+> - apikey
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.
 - **output**:
@@ -1858,7 +2093,7 @@ Module to get information from VirusTotal.
 
 -----
 
-#### [vmray_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py)
+#### [VMRay Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py)
 
 <img src=logos/vmray.png height=60>
 
@@ -1867,6 +2102,12 @@ Module to submit a sample to VMRay.
 >This module takes an attachment or malware-sample attribute as input to query the VMRay API.
 >
 >The sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes.
+- **config**:
+> - apikey
+> - url
+> - shareable
+> - do_not_reanalyze
+> - do_not_include_vmrayjobids
 - **input**:
 >An attachment or malware-sample attribute.
 - **output**:
@@ -1883,7 +2124,7 @@ Module to submit a sample to VMRay.
 
 -----
 
-#### [vmware_nsx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py)
+#### [VMware NSX Defender Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py)
 
 <img src=logos/vmware_nsx.png height=60>
 
@@ -1892,6 +2133,15 @@ Module to enrich a file or URL with VMware NSX Defender.
 >This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender.
 >
 >The IoC is then enriched with data from VMware NSX Defender.
+- **config**:
+> - analysis_url
+> - analysis_verify_ssl
+> - analysis_key
+> - analysis_api_token
+> - vt_key
+> - misp_url
+> - misp_verify_ssl
+> - misp_key
 - **input**:
 >File hash, attachment or URL to be enriched with VMware NSX Defender.
 - **output**:
@@ -1903,7 +2153,7 @@ Module to enrich a file or URL with VMware NSX Defender.
 
 -----
 
-#### [vulndb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py)
+#### [VulnDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py)
 
 <img src=logos/vulndb.png height=60>
 
@@ -1912,6 +2162,15 @@ Module to query VulnDB (RiskBasedSecurity.com).
 >This module takes a vulnerability attribute as input and queries VulnDB in order to get some additional data about it.
 >
 >The API gives the result of the query which can be displayed in the screen, and/or mapped into MISP attributes to add in the event.
+- **config**:
+> - apikey
+> - apisecret
+> - discard_dates
+> - discard_external_references
+> - discard_cvss
+> - discard_productinformation
+> - discard_classification
+> - discard_cpe
 - **input**:
 >A vulnerability attribute.
 - **output**:
@@ -1923,7 +2182,15 @@ Module to query VulnDB (RiskBasedSecurity.com).
 
 -----
 
-#### [vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py)
+#### [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py)
+
+An expansion module to query Vulnerability Lookup
+- **features**:
+>
+
+-----
+
+#### [Vulners Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py)
 
 <img src=logos/vulners.png height=60>
 
@@ -1932,6 +2199,8 @@ An expansion hover module to expand information about CVE id using Vulners API.
 >This module takes a vulnerability attribute as input and queries the Vulners API in order to get some additional data about it.
 >
 >The API then returns details about the vulnerability.
+- **config**:
+>apikey
 - **input**:
 >A vulnerability attribute.
 - **output**:
@@ -1944,13 +2213,20 @@ An expansion hover module to expand information about CVE id using Vulners API.
 
 -----
 
-#### [vysion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py)
+#### [Vysion Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py)
 
 <img src=logos/vysion.png height=60>
 
 Module to enrich the information by making use of the Vysion API.
 - **features**:
 >This module gets correlated information from Byron Labs' dark web intelligence database. With this you will get several objects containing information related to, for example, an organization victim of a ransomware attack.
+- **config**:
+> - apikey
+> - event_limit
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >company(target-org), country, info, BTC, XMR and DASH address.
 - **output**:
@@ -1965,11 +2241,14 @@ Module to enrich the information by making use of the Vysion API.
 
 -----
 
-#### [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py)
+#### [Whois Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py)
 
 Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
 - **features**:
 >This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server).
+- **config**:
+> - server
+> - port
 - **input**:
 >A domain or IP address attribute.
 - **output**:
@@ -1981,19 +2260,19 @@ Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
 
 -----
 
-#### [whoisfreaks](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py)
+#### [WhoisFreaks Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py)
 
 <img src=logos/whoisfreaks.png height=60>
 
 An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
-Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security. 
-Explore our website's product section at https://whoisfreaks.com/ for a wide range of additional services catering to threat intelligence and attack surface analysis needs.
 - **features**:
 >The module takes a domain as input and queries the Whoisfreaks API with it.
 >
 >Some parsing operations are then processed on the result of the query to extract as much information as possible.
 >
 >After this we map the extracted data to MISP attributes.
+- **config**:
+>apikey
 - **input**:
 >A domain whose Data is required
 - **output**:
@@ -2013,7 +2292,7 @@ Explore our website's product section at https://whoisfreaks.com/ for a wide ran
 
 -----
 
-#### [wiki](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py)
+#### [Wikidata Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py)
 
 <img src=logos/wikidata.png height=60>
 
@@ -2031,13 +2310,16 @@ An expansion hover module to extract information from Wikidata to have additiona
 
 -----
 
-#### [xforceexchange](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py)
+#### [IBM X-Force Exchange Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py)
 
 <img src=logos/xforce.png height=60>
 
 An expansion module for IBM X-Force Exchange.
 - **features**:
 >This module takes a MISP attribute as input to query the X-Force API. The API returns then additional information known in their threats data, that is mapped into MISP attributes.
+- **config**:
+> - apikey
+> - apipassword
 - **input**:
 >A MISP attribute included in the following list:
 >- ip-src
@@ -2055,7 +2337,7 @@ An expansion module for IBM X-Force Exchange.
 
 -----
 
-#### [xlsx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py)
+#### [XLXS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py)
 
 <img src=logos/xlsx.png height=60>
 
@@ -2071,11 +2353,11 @@ Module to extract freetext from a .xlsx document.
 
 -----
 
-#### [yara_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py)
+#### [YARA Rule Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py)
 
 <img src=logos/yara.png height=60>
 
-An expansion & hover module to translate any hash attribute into a yara rule.
+jj
 - **features**:
 >The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.
 >Both hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.
@@ -2086,12 +2368,14 @@ An expansion & hover module to translate any hash attribute into a yara rule.
 - **references**:
 > - https://virustotal.github.io/yara/
 > - https://github.com/virustotal/yara-python
+- **require_standard_format**:
+>True
 - **requirements**:
 >yara-python python library
 
 -----
 
-#### [yara_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py)
+#### [YARA Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py)
 
 <img src=logos/yara.png height=60>
 
@@ -2109,13 +2393,16 @@ An expansion hover module to perform a syntax check on if yara rules are valid o
 
 -----
 
-#### [yeti](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py)
+#### [Yeti Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py)
 
 <img src=logos/yeti.png height=60>
 
 Module to process a query on Yeti.
 - **features**:
 >This module add context and links between observables using yeti
+- **config**:
+> - apikey
+> - url
 - **input**:
 >A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.
 - **output**:
@@ -2131,12 +2418,17 @@ Module to process a query on Yeti.
 
 ## Export Modules
 
-#### [cef_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py)
+#### [CEF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py)
 
 Module to export a MISP event in CEF format.
 - **features**:
 >The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.
 >Thus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.
+- **config**:
+> - Default_Severity
+> - Device_Vendor
+> - Device_Product
+> - Device_Version
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -2146,13 +2438,19 @@ Module to export a MISP event in CEF format.
 
 -----
 
-#### [cisco_firesight_manager_ACL_rule_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py)
+#### [Cisco fireSIGHT blockrule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py)
 
 <img src=logos/cisco.png height=60>
 
 Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
 - **features**:
 >The module goes through the attributes to find all the network activity ones in order to create block rules for the Cisco fireSIGHT manager.
+- **config**:
+> - fmc_ip_addr
+> - fmc_login
+> - fmc_pass
+> - domain_id
+> - acpolicy_id
 - **input**:
 >Network activity attributes (IPs, URLs).
 - **output**:
@@ -2162,13 +2460,15 @@ Module to export malicious network activity attributes to Cisco fireSIGHT manage
 
 -----
 
-#### [defender_endpoint_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py)
+#### [Microsoft Defender for Endpoint KQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py)
 
 <img src=logos/defender_endpoint.png height=60>
 
 Defender for Endpoint KQL hunting query export module
 - **features**:
 >This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC.
+- **config**:
+>Period
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -2178,7 +2478,7 @@ Defender for Endpoint KQL hunting query export module
 
 -----
 
-#### [goamlexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py)
+#### [GoAML Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py)
 
 <img src=logos/goAML.jpg height=60>
 
@@ -2202,23 +2502,29 @@ This module is used to export MISP events containing transaction objects into Go
 >	- 'entity': Entity owning the bank account - optional.
 >- person:
 >	- 'address': Address of a person - optional.
+- **config**:
+>rentity_id
 - **input**:
 >MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.
 - **output**:
 >GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).
 - **references**:
 >http://goaml.unodc.org/
+- **require_standard_format**:
+>True
 - **requirements**:
 > - PyMISP
 > - MISP objects
 
 -----
 
-#### [liteexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py)
+#### [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py)
 
 Lite export of a MISP event.
 - **features**:
 >This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.
+- **config**:
+>indent_json_export
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -2226,11 +2532,11 @@ Lite export of a MISP event.
 
 -----
 
-#### [mass_eql_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py)
+#### [EQL Query Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py)
 
 <img src=logos/eql.png height=60>
 
-Mass EQL query export for a MISP event.
+Export MISP event in Event Query Language
 - **features**:
 >This module produces EQL queries for all relevant attributes in a MISP event.
 - **input**:
@@ -2242,13 +2548,15 @@ Mass EQL query export for a MISP event.
 
 -----
 
-#### [nexthinkexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py)
+#### [Nexthink NXQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py)
 
 <img src=logos/nexthink.svg height=60>
 
 Nexthink NXQL query export module
 - **features**:
 >This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell
+- **config**:
+>Period
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -2258,7 +2566,7 @@ Nexthink NXQL query export module
 
 -----
 
-#### [osqueryexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py)
+#### [OSQuery Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py)
 
 <img src=logos/osquery.png height=60>
 
@@ -2272,7 +2580,7 @@ OSQuery export of a MISP event.
 
 -----
 
-#### [pdfexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py)
+#### [Event to PDF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py)
 
 Simple export of a MISP event to PDF.
 - **features**:
@@ -2283,25 +2591,29 @@ Simple export of a MISP event to PDF.
 >  'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !
 >  'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.
 >  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option 
+- **config**:
+> - MISP_base_url_for_dynamic_link
+> - MISP_name_for_metadata
+> - Activate_textual_description
+> - Activate_galaxy_description
+> - Activate_related_events
+> - Activate_internationalization_fonts
+> - Custom_fonts_path
 - **input**:
 >MISP Event
 - **output**:
 >MISP Event in a PDF file.
 - **references**:
 >https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html
+- **require_standard_format**:
+>True
 - **requirements**:
 > - PyMISP
 > - reportlab
 
 -----
 
-#### [testexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/testexport.py)
-
-Skeleton export module.
-
------
-
-#### [threatStream_misp_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py)
+#### [ThreatStream Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py)
 
 <img src=logos/threatstream.png height=60>
 
@@ -2320,7 +2632,7 @@ Module to export a structured CSV file for uploading to threatStream.
 
 -----
 
-#### [threat_connect_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py)
+#### [ThreadConnect Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py)
 
 <img src=logos/threatconnect.png height=60>
 
@@ -2328,6 +2640,8 @@ Module to export a structured CSV file for uploading to ThreatConnect.
 - **features**:
 >The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.
 >Users should then provide, as module configuration, the source of data they export, because it is required by the output format.
+- **config**:
+>Default_Source
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -2339,13 +2653,19 @@ Module to export a structured CSV file for uploading to ThreatConnect.
 
 -----
 
-#### [virustotal_collections](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py)
+#### [VirusTotal Collections Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py)
 
 <img src=logos/virustotal.png height=60>
 
 Creates a VT Collection from an event iocs.
 - **features**:
 >This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button.
+- **config**:
+> - vt_api_key
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute.
 - **output**:
@@ -2358,7 +2678,7 @@ Creates a VT Collection from an event iocs.
 
 -----
 
-#### [vt_graph](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py)
+#### [VirusTotal Graph Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py)
 
 <img src=logos/virustotal.png height=60>
 
@@ -2367,6 +2687,16 @@ This module is used to create a VirusTotal Graph from a MISP event.
 >The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.
 >
 >Once the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.
+- **config**:
+> - vt_api_key
+> - fetch_information
+> - private
+> - fetch_vt_enterprise
+> - expand_one_level
+> - user_editors
+> - user_viewers
+> - group_editors
+> - group_viewers
 - **input**:
 >A MISP event.
 - **output**:
@@ -2378,7 +2708,7 @@ This module is used to create a VirusTotal Graph from a MISP event.
 
 -----
 
-#### [yara_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py)
+#### [YARA Rule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py)
 
 <img src=logos/yara.png height=60>
 
@@ -2399,7 +2729,7 @@ This module is used to export MISP events to YARA.
 
 ## Import Modules
 
-#### [cof2misp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py)
+#### [PDNS COF Importer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py)
 
 Passive DNS Common Output Format (COF) MISP importer
 - **features**:
@@ -2415,7 +2745,7 @@ Passive DNS Common Output Format (COF) MISP importer
 
 -----
 
-#### [csvimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py)
+#### [CSV Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py)
 
 Module to import MISP attributes from a csv file.
 - **features**:
@@ -2436,13 +2766,13 @@ Module to import MISP attributes from a csv file.
 
 -----
 
-#### [cuckooimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py)
+#### [Cuckoo Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py)
 
 <img src=logos/cuckoo.png height=60>
 
 Module to import Cuckoo JSON.
 - **features**:
->The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.
+>Import a Cuckoo archive (zipfile or bzip2 tarball), either downloaded manually or exported from the API (/tasks/report/<task_id>/all).
 - **input**:
 >Cuckoo JSON file
 - **output**:
@@ -2453,12 +2783,16 @@ Module to import Cuckoo JSON.
 
 -----
 
-#### [email_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py)
+#### [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py)
 
-Module to import emails in MISP.
+Email import module for MISP
 - **features**:
 >This module can be used to import e-mail text as well as attachments and urls.
 >3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.
+- **config**:
+> - unzip_attachments
+> - guess_zip_attachment_passwords
+> - extract_urls
 - **input**:
 >E-mail file
 - **output**:
@@ -2466,7 +2800,7 @@ Module to import emails in MISP.
 
 -----
 
-#### [goamlimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py)
+#### [GoAML Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py)
 
 <img src=logos/goAML.jpg height=60>
 
@@ -2484,7 +2818,15 @@ Module to import MISP objects about financial transactions from GoAML files.
 
 -----
 
-#### [joe_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py)
+#### [Import Blueprint](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py)
+
+Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
+- **features**:
+>
+
+-----
+
+#### [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py)
 
 <img src=logos/joesandbox.png height=60>
 
@@ -2503,7 +2845,7 @@ A module to import data from a Joe Sandbox analysis json report.
 
 -----
 
-#### [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py)
+#### [Lastline Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py)
 
 <img src=logos/lastline.png height=60>
 
@@ -2514,6 +2856,10 @@ Module to import and parse reports from Lastline analysis links.
 >The module requires a Lastline Portal `username` and `password`.
 >The module uses the new format and it is able to return MISP attributes and objects.
 >The module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) expansion module.
+- **config**:
+> - username
+> - password
+> - verify_ssl
 - **input**:
 >Link to a Lastline analysis.
 - **output**:
@@ -2523,7 +2869,7 @@ Module to import and parse reports from Lastline analysis links.
 
 -----
 
-#### [mispjson](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py)
+#### [MISP JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py)
 
 Module to import MISP JSON format for merging MISP events.
 - **features**:
@@ -2535,7 +2881,7 @@ Module to import MISP JSON format for merging MISP events.
 
 -----
 
-#### [ocr](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py)
+#### [OCR Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py)
 
 Optical Character Recognition (OCR) module for MISP.
 - **features**:
@@ -2547,7 +2893,7 @@ Optical Character Recognition (OCR) module for MISP.
 
 -----
 
-#### [openiocimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py)
+#### [OpenIOC Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py)
 
 Module to import OpenIOC packages.
 - **features**:
@@ -2563,7 +2909,17 @@ Module to import OpenIOC packages.
 
 -----
 
-#### [threatanalyzer_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py)
+#### [TAXII 2.1 Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py)
+
+Import content from a TAXII 2.1 server
+- **features**:
+>
+- **config**:
+>stix_object_limit
+
+-----
+
+#### [ThreadAnalyzer Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py)
 
 Module to import ThreatAnalyzer archive.zip / analysis.json files.
 - **features**:
@@ -2578,7 +2934,15 @@ Module to import ThreatAnalyzer archive.zip / analysis.json files.
 
 -----
 
-#### [vmray_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py)
+#### [URL Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py)
+
+Simple URL import tool with Faup
+- **features**:
+>
+
+-----
+
+#### [VMRay API Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py)
 
 <img src=logos/vmray.png height=60>
 
@@ -2586,6 +2950,12 @@ Module to import VMRay (VTI) results.
 - **features**:
 >The module imports MISP Attributes from VMRay format, using the VMRay api.
 >Users should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.
+- **config**:
+> - apikey
+> - url
+> - disable_tags
+> - disable_misp_objects
+> - ignore_analysis_finished
 - **input**:
 >VMRay format
 - **output**:
@@ -2596,3 +2966,45 @@ Module to import VMRay (VTI) results.
 >vmray_rest_api
 
 -----
+
+#### [VMRay Summary JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py)
+
+Import a VMRay Summary JSON report.
+- **features**:
+>
+- **config**:
+>disable_tags
+
+-----
+
+## Action Modules
+
+#### [Mattermost](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/mattermost.py)
+
+Simplistic module to send message to a Mattermost channel.
+- **features**:
+>
+- **config**:
+>{'params': {'mattermost_hostname': {'type': 'string', 'description': 'The Mattermost domain or URL', 'value': 'example.mattermost.com'}, 'bot_access_token': {'type': 'string', 'description': 'Access token generated when you created the bot account'}, 'channel_id': {'type': 'string', 'description': 'The channel you added the bot to'}, 'message_template': {'type': 'large_string', 'description': 'The template to be used to generate the message to be posted', 'value': 'The **template** will be rendered using *Jinja2*!', 'jinja_supported': True}}, 'blocking': False, 'support_filters': True, 'expect_misp_core_format': False}
+
+-----
+
+#### [Slack](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/slack.py)
+
+Simplistic module to send messages to a Slack channel.
+- **features**:
+>
+- **config**:
+>{'params': {'slack_bot_token': {'type': 'string', 'description': 'The Slack bot token generated when you created the bot account'}, 'channel_id': {'type': 'string', 'description': 'The channel ID you want to post messages to'}, 'message_template': {'type': 'large_string', 'description': 'The template to be used to generate the message to be posted', 'value': 'The **template** will be rendered using *Jinja2*!', 'jinja_supported': True}}, 'blocking': False, 'support_filters': True, 'expect_misp_core_format': False}
+
+-----
+
+#### [Test action](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/testaction.py)
+
+This module is merely a test, always returning true. Triggers on event publishing.
+- **features**:
+>
+- **config**:
+>{'params': {'foo': {'type': 'string', 'description': 'blablabla', 'value': 'xyz'}, 'Data extraction path': {'type': 'hash_path', 'description': 'Only post content extracted from this path', 'value': 'Attribute.{n}.AttributeTag.{n}.Tag.name'}}, 'blocking': False, 'support_filters': False, 'expect_misp_core_format': False}
+
+-----
diff --git a/documentation/generate_documentation.py b/documentation/generate_documentation.py
index 84dfc19e..79fb76ea 100644
--- a/documentation/generate_documentation.py
+++ b/documentation/generate_documentation.py
@@ -1,42 +1,91 @@
 # -*- coding: utf-8 -*-
 import os
-import json
 from pathlib import Path
+import importlib
+import copy
 
-module_types = ['expansion', 'export_mod', 'import_mod']
-titles = ['Expansion Modules', 'Export Modules', 'Import Modules']
+module_types = ['expansion', 'export_mod', 'import_mod', 'action_mod']
+titles = ['Expansion Modules', 'Export Modules', 'Import Modules', 'Action Modules']
 githublink = 'https://github.com/MISP/misp-modules/tree/main/misp_modules/modules'
 
+moduleinfo_to_ignore = ['module-type', 'author', 'version']
+
+_all_moduleinfo = {}
+
+
+def get_all_moduleinfo():
+    '''
+    Get all module information from the modules.
+    Behaves like a singleton, so it will only load the modules once.
+    '''
+    if not _all_moduleinfo:
+        for module_type in module_types:
+            _all_moduleinfo[module_type] = {}
+            module_type_module = importlib.import_module(f"misp_modules.modules.{module_type}")
+            module_type_module.__all__.sort()
+            for module_name in module_type_module.__all__:
+                module_package_name = f"misp_modules.modules.{module_type}.{module_name}"
+                try:
+                    module = importlib.import_module(module_package_name)
+                    moduleinfo = copy.deepcopy(module.version())
+                except Exception:
+                    continue  # skip if we have issues loading the module
+
+                moduleinfo = dict(sorted(moduleinfo.items()))
+                _all_moduleinfo[module_type][module_name] = moduleinfo
+
+    return _all_moduleinfo
+
 
 def generate_doc(module_type, root_path, logo_path='logos'):
     markdown = []
-    current_path = os.path.join(root_path, 'website', module_type)
-    files = sorted(os.listdir(current_path))
+    # current_path = os.path.join(root_path, 'website', module_type)
+    # files = sorted(os.listdir(current_path))
     githubpath = f'{githublink}/{module_type}'
-    for filename in files:
-        modulename = filename.split('.json')[0]
-        githubref = f'{githubpath}/{modulename}.py'
-        markdown.append(f'\n#### [{modulename}]({githubref})\n')
-        filename = os.path.join(current_path, filename)
-        print(f'Processing {filename}')
-        with open(filename, 'rt') as f:
-            definition = json.loads(f.read())
-        if 'logo' in definition:
-            logo = os.path.join(logo_path, definition.pop('logo'))
+
+    for module_name, moduleinfo in get_all_moduleinfo()[module_type].items():
+        githubref = f'{githubpath}/{module_name}.py'
+
+        moduleinfo = copy.deepcopy(moduleinfo)  # ensure to not modify the original data
+        for i in moduleinfo_to_ignore:
+            moduleinfo.pop(i)
+
+        module_name_pretty = moduleinfo.pop('name')
+        if module_name_pretty == '':
+            module_name_pretty = module_name
+
+        markdown.append(f'\n#### [{module_name_pretty}]({githubref})\n')
+        if moduleinfo['logo'] != '':
+            logo = os.path.join(logo_path, moduleinfo.pop('logo'))
             markdown.append(f"\n<img src={logo} height=60>\n")
-        if 'description' in definition:
-            markdown.append(f"\n{definition.pop('description')}\n")
-        for field, value in sorted(definition.items()):
+        if 'description' in moduleinfo:
+            markdown.append(f"\n{moduleinfo.pop('description')}\n")
+        if 'features' in moduleinfo:
+            markdown.append(get_single_value('features', str(moduleinfo.pop('features')).replace('\n', '\n>')))
+        for field, value in sorted(moduleinfo.items()):
             if not value:
                 continue
             if isinstance(value, list):
                 markdown.append(handle_list(field, value))
                 continue
-            markdown.append(get_single_value(field, value.replace('\n', '\n>')))
+            markdown.append(get_single_value(field, str(value).replace('\n', '\n>')))
         markdown.append('\n-----\n')
     return markdown
 
 
+def generate_index_doc(module_type, root_path):
+    markdown = []
+    githubpath = f'{githublink}/{module_type}'
+    for module_name, moduleinfo in get_all_moduleinfo()[module_type].items():
+        module_name_pretty = moduleinfo.get('name')
+        if module_name_pretty == '':
+            module_name_pretty = module_name
+
+        githubref = f'{githubpath}/{module_name}.py'
+        markdown.append(f'* [{module_name_pretty}]({githubref}) - {moduleinfo.get("description")}\n')
+    return markdown
+
+
 def get_single_value(field, value):
     return f"- **{field}**:\n>{value}\n"
 
@@ -48,7 +97,7 @@ def handle_list(field, values):
     return f"- **{field}**:\n> - {values}\n"
 
 
-def write_doc(root_path):
+def write_doc_for_readme(root_path):
     markdown = ["# MISP modules documentation\n"]
     for _path, title in zip(module_types, titles):
         markdown.append(f'\n## {title}\n')
@@ -64,7 +113,76 @@ def write_docs_for_mkdocs(root_path):
             w.write(''.join(markdown))
 
 
+def update_docs_for_mkdocs_index(root_path):
+    with open(root_path / 'mkdocs' / 'index.md', 'r') as r:
+        old_doc = r.readlines()
+
+    new_doc = []
+    skip = False
+    for line in old_doc:
+        if skip and not line.startswith('## '):  # find next title
+            continue   # skip lines, as we're in the block that we're auto-generating
+
+        skip = False
+        new_doc.append(line)
+
+        if line.startswith('## Existing MISP modules'):
+            skip = True
+            # generate the updated content
+            for _path, title in zip(module_types, titles):
+                new_doc.append(f'\n### {title}\n')
+                new_doc.extend(generate_index_doc(_path, root_path))
+            new_doc.append('\n\n')
+
+    with open(root_path / 'mkdocs' / 'index.md', 'w') as w:
+        w.write(''.join(new_doc))
+    pass
+
+
+def update_readme(root_path):
+    with open(root_path / 'README.md', 'r') as r:
+        old_readme = r.readlines()
+
+    new_doc = []
+    skip = False
+    for line in old_readme:
+        if skip and not line.startswith('# Existing MISP modules') and not line.startswith('# How to add your own MISP modules?') and not line.startswith('# Installation'):  # find next title
+            continue   # skip lines, as we're in the block that we're auto-generating
+
+        new_doc.append(line)
+
+        if line.startswith('# Existing MISP modules'):
+            skip = True
+            # generate the updated content
+            for _path, title in zip(module_types, titles):
+                new_doc.append(f'\n## {title}\n')
+                new_doc.extend(generate_index_doc(_path, root_path))
+            new_doc.append('\n\n')
+
+        elif line.startswith('# How to add your own MISP modules?'):
+            skip = True
+            # copy over the contribute.md file
+            with open(root_path / 'documentation' / 'mkdocs' / 'contribute.md', 'r') as f:
+                f.readline()  # skip the title
+                new_doc.extend(f.readlines())
+
+        elif line.startswith('# Installation'):
+            skip = True
+            new_doc.append('\n')
+            # copy over the install.md file
+            with open(root_path / 'documentation' / 'mkdocs' / 'install.md', 'r') as f:
+                new_doc.extend(f.readlines())
+            new_doc.append('\n')
+
+    with open(root_path / 'README.md', 'w') as w:
+        w.write(''.join(new_doc))
+    pass
+
+
 if __name__ == '__main__':
     root_path = Path(__file__).resolve().parent
-    write_doc(root_path)
+
+    write_doc_for_readme(root_path)
     write_docs_for_mkdocs(root_path)
+    update_docs_for_mkdocs_index(root_path)
+    update_readme(root_path.parent)
diff --git a/documentation/migrate_web_json_to_module.py b/documentation/migrate_web_json_to_module.py
new file mode 100644
index 00000000..66616fb4
--- /dev/null
+++ b/documentation/migrate_web_json_to_module.py
@@ -0,0 +1,95 @@
+import json
+import re
+from pathlib import Path
+import os
+
+module_types = ['expansion', 'export_mod', 'import_mod']
+
+moduleinfo_template = {
+    'version': '1.0',
+    'author': '',
+    'module-type': [],
+    'description': '',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': ''
+}
+
+if __name__ == '__main__':
+    exit("This code was temporary and should not be run again. It was used to migrate the JSON documentation to the module files.")
+    root_path = Path(__file__).resolve().parent.parent
+    modules_path = root_path / 'misp_modules' / 'modules'
+
+    for module_type in module_types:
+        files = sorted(os.listdir(modules_path / module_type))
+        for python_filename in files:
+            if not python_filename.endswith('.py') or '__init__' in python_filename:
+                continue
+            modulename = python_filename.split('.py')[0]
+            json_filename = root_path / 'documentation' / 'website' / module_type / f'{modulename}.json'
+            print(f"Processing type {module_type}:{modulename} in {python_filename} and {json_filename}")
+            json_exists = json_filename.exists()
+            if json_exists:
+                print(" Found JSON file")
+                with open(json_filename, 'rt') as f:
+                    json_content = json.loads(f.read())
+            else:
+                json_content = {}
+            # if json does not exist, then still edit the python file and add the stub structure
+            with open(modules_path / module_type / python_filename, 'r+t') as python_f:
+                # read from python file, find moduleinfo and load it as python variable
+                python_content = python_f.read()
+                re_pattern = r'moduleinfo\s=\s{[^}]*}'
+                m = re.search(re_pattern, python_content, re.MULTILINE | re.DOTALL)
+                if not m:
+                    print(f" Moduleinfo not found in {python_filename}")
+                    continue
+                s = m.group(0)
+                moduleinfo = {}
+                exec(s)  # we now have a moduleinfo dict
+                print(f" Moduleinfo found in {python_filename}: {moduleinfo}")
+                # populate from template
+                for k, v in moduleinfo_template.items():
+                    if k not in moduleinfo or moduleinfo.get(k) == '' or moduleinfo.get(k) == []:
+                        # print(f" Adding {k} = {v} to {python_filename}")
+                        moduleinfo[k] = v
+                # populate from json
+                for k, v in json_content.items():
+                    if k not in moduleinfo or moduleinfo.get(k) == '' or moduleinfo.get(k) == []:
+                        # print(f" Adding {k} = {v} to {python_filename}")
+                        moduleinfo[k] = v
+                if json_content and json_content.get('description') != moduleinfo.get('description'):
+                    print(" WARNING: Description in JSON and Python file do not match:")
+                    print("")
+                    print(f" JSON: {json_content.get('description')}")
+                    print("")
+                    print(f" Python: {moduleinfo.get('description')}")
+                    print("")
+                    user_input = input("Which version do you want to use? Enter '[j]son' for JSON version or '[p]ython' for Python version, or any other text for a new description: ")
+
+                    if user_input in ['json', 'j', 'JSON']:
+                        moduleinfo['description'] = json_content['description']
+                    elif user_input in ['python', 'p', 'PYTHON']:
+                        pass
+                    else:
+                        moduleinfo['description'] = user_input.strip()
+
+                # write back to python file
+                new_moduleinfo_text = ['moduleinfo = {']
+                for k, v in moduleinfo.items():
+                    new_moduleinfo_text.append(f"    '{k}': {repr(v).replace('\\', '\\\\')},")
+                new_moduleinfo_text.append('}')
+
+                python_content_new, cnt = re.subn(re_pattern, '\n'.join(new_moduleinfo_text), python_content, re.MULTILINE | re.DOTALL)
+                if cnt == 0:
+                    print(f" WARNING: Moduleinfo not replaced in {python_filename}")
+                    continue
+                python_f.seek(0)
+                python_f.write(python_content_new)
+                python_f.truncate()  # remove the rest of the file
+                pass
+
+    pass
diff --git a/documentation/mkdocs/action_mod.md b/documentation/mkdocs/action_mod.md
new file mode 100644
index 00000000..42fcf920
--- /dev/null
+++ b/documentation/mkdocs/action_mod.md
@@ -0,0 +1,30 @@
+
+#### [Mattermost](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/mattermost.py)
+
+Simplistic module to send message to a Mattermost channel.
+- **features**:
+>
+- **config**:
+>{'params': {'mattermost_hostname': {'type': 'string', 'description': 'The Mattermost domain or URL', 'value': 'example.mattermost.com'}, 'bot_access_token': {'type': 'string', 'description': 'Access token generated when you created the bot account'}, 'channel_id': {'type': 'string', 'description': 'The channel you added the bot to'}, 'message_template': {'type': 'large_string', 'description': 'The template to be used to generate the message to be posted', 'value': 'The **template** will be rendered using *Jinja2*!', 'jinja_supported': True}}, 'blocking': False, 'support_filters': True, 'expect_misp_core_format': False}
+
+-----
+
+#### [Slack](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/slack.py)
+
+Simplistic module to send messages to a Slack channel.
+- **features**:
+>
+- **config**:
+>{'params': {'slack_bot_token': {'type': 'string', 'description': 'The Slack bot token generated when you created the bot account'}, 'channel_id': {'type': 'string', 'description': 'The channel ID you want to post messages to'}, 'message_template': {'type': 'large_string', 'description': 'The template to be used to generate the message to be posted', 'value': 'The **template** will be rendered using *Jinja2*!', 'jinja_supported': True}}, 'blocking': False, 'support_filters': True, 'expect_misp_core_format': False}
+
+-----
+
+#### [Test action](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/testaction.py)
+
+This module is merely a test, always returning true. Triggers on event publishing.
+- **features**:
+>
+- **config**:
+>{'params': {'foo': {'type': 'string', 'description': 'blablabla', 'value': 'xyz'}, 'Data extraction path': {'type': 'hash_path', 'description': 'Only post content extracted from this path', 'value': 'Attribute.{n}.AttributeTag.{n}.Tag.name'}}, 'blocking': False, 'support_filters': False, 'expect_misp_core_format': False}
+
+-----
diff --git a/documentation/mkdocs/expansion.md b/documentation/mkdocs/expansion.md
index f3ae952f..c4d2b8e2 100644
--- a/documentation/mkdocs/expansion.md
+++ b/documentation/mkdocs/expansion.md
@@ -1,5 +1,17 @@
 
-#### [apiosintds](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py)
+#### [Abuse IPDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/abuseipdb.py)
+
+AbuseIPDB MISP expansion module
+- **features**:
+>
+- **config**:
+> - api_key
+> - max_age_in_days
+> - abuse_threshold
+
+-----
+
+#### [OSINT DigitalSide](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py)
 
 On demand query API for OSINT.digitalside.it project.
 - **features**:
@@ -8,6 +20,13 @@ On demand query API for OSINT.digitalside.it project.
 >The result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.
 >
 >Furthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it
+- **config**:
+> - STIX2_details
+> - import_related
+> - cache
+> - cache_directory
+> - cache_timeout_h
+> - local_directory
 - **input**:
 >A domain, ip, url or hash attribute.
 - **output**:
@@ -19,7 +38,7 @@ On demand query API for OSINT.digitalside.it project.
 
 -----
 
-#### [apivoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py)
+#### [APIVoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py)
 
 <img src=../logos/apivoid.png height=60>
 
@@ -28,6 +47,8 @@ Module to query APIVoid with some domain attributes.
 >This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.
 >
 >To make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.
+- **config**:
+>apikey
 - **input**:
 >A domain attribute.
 - **output**:
@@ -39,7 +60,7 @@ Module to query APIVoid with some domain attributes.
 
 -----
 
-#### [assemblyline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py)
+#### [AssemblyLine Query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py)
 
 <img src=../logos/assemblyline.png height=60>
 
@@ -50,6 +71,12 @@ A module tu query the AssemblyLine API with a submission ID to get the submissio
 >The submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.
 >
 >Some more data may be parsed in the future.
+- **config**:
+> - apiurl
+> - user_id
+> - apikey
+> - password
+> - verifyssl
 - **input**:
 >Link of an AssemblyLine submission report.
 - **output**:
@@ -61,7 +88,7 @@ A module tu query the AssemblyLine API with a submission ID to get the submissio
 
 -----
 
-#### [assemblyline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py)
+#### [AssemblyLine Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py)
 
 <img src=../logos/assemblyline.png height=60>
 
@@ -70,6 +97,12 @@ A module to submit samples and URLs to AssemblyLine for advanced analysis, and r
 >The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.
 >
 >If the sample or url is correctly submitted, you get then the link of the submission.
+- **config**:
+> - apiurl
+> - user_id
+> - apikey
+> - password
+> - verifyssl
 - **input**:
 >Sample, or url to submit to AssemblyLine.
 - **output**:
@@ -81,13 +114,15 @@ A module to submit samples and URLs to AssemblyLine for advanced analysis, and r
 
 -----
 
-#### [backscatter_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py)
+#### [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py)
 
 <img src=../logos/backscatter_io.png height=60>
 
-Query backscatter.io (https://backscatter.io/).
+Backscatter.io module to bring mass-scanning observations into MISP.
 - **features**:
 >The module takes a source or destination IP address as input and displays the information known by backscatter.io.
+- **config**:
+>api_key
 - **input**:
 >IP addresses.
 - **output**:
@@ -99,9 +134,9 @@ Query backscatter.io (https://backscatter.io/).
 
 -----
 
-#### [bgpranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py)
+#### [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py)
 
-Query BGP Ranking (https://bgpranking-ng.circl.lu/).
+Query BGP Ranking to get the ranking of an Autonomous System number.
 - **features**:
 >The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.
 - **input**:
@@ -115,7 +150,7 @@ Query BGP Ranking (https://bgpranking-ng.circl.lu/).
 
 -----
 
-#### [btc_scam_check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py)
+#### [BTC Scam Check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py)
 
 <img src=../logos/bitcoin.png height=60>
 
@@ -133,11 +168,13 @@ An expansion hover module to query a special dns blacklist to check if a bitcoin
 
 -----
 
-#### [btc_steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py)
+#### [BTC Steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py)
 
 <img src=../logos/bitcoin.png height=60>
 
 An expansion hover module to get a blockchain balance from a BTC address in MISP.
+- **features**:
+>
 - **input**:
 >btc address attribute.
 - **output**:
@@ -145,11 +182,14 @@ An expansion hover module to get a blockchain balance from a BTC address in MISP
 
 -----
 
-#### [censys_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py)
+#### [Censys Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py)
 
 An expansion module to enrich attributes in MISP by quering the censys.io API
 - **features**:
 >This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API.
+- **config**:
+> - api_id
+> - api_secret
 - **input**:
 >IP, domain or certificate fingerprint (md5, sha1 or sha256)
 - **output**:
@@ -161,7 +201,7 @@ An expansion module to enrich attributes in MISP by quering the censys.io API
 
 -----
 
-#### [circl_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py)
+#### [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py)
 
 <img src=../logos/passivedns.png height=60>
 
@@ -170,6 +210,9 @@ Module to access CIRCL Passive DNS.
 >This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects.
 >
 >To make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API.
+- **config**:
+> - username
+> - password
 - **input**:
 >Hostname, domain, or ip-address attribute.
 - **ouput**:
@@ -183,7 +226,7 @@ Module to access CIRCL Passive DNS.
 
 -----
 
-#### [circl_passivessl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py)
+#### [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py)
 
 <img src=../logos/passivessl.png height=60>
 
@@ -192,6 +235,9 @@ Modules to access CIRCL Passive SSL.
 >This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects.
 >
 >To make it work a username and a password are required to authenticate to the CIRCL Passive SSL API.
+- **config**:
+> - username
+> - password
 - **input**:
 >IP address attribute.
 - **output**:
@@ -204,7 +250,17 @@ Modules to access CIRCL Passive SSL.
 
 -----
 
-#### [cluster25_expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py)
+#### [ClaamAV](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/clamav.py)
+
+Submit file to ClamAV
+- **features**:
+>
+- **config**:
+>connection
+
+-----
+
+#### [Cluster25 Expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py)
 
 <img src=../logos/cluster25.png height=60>
 
@@ -212,6 +268,10 @@ Module to query Cluster25 CTI.
 - **features**:
 >This module takes a MISP attribute value as input to query the Cluster25CTI API. The result is then mapped into compatible MISP Objects and relative attributes.
 >
+- **config**:
+> - api_id
+> - apikey
+> - base_url
 - **input**:
 >An Indicator value of type included in the following list:
 >- domain
@@ -237,7 +297,7 @@ Module to query Cluster25 CTI.
 
 -----
 
-#### [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py)
+#### [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py)
 
 Module to expand country codes.
 - **features**:
@@ -251,7 +311,7 @@ Module to expand country codes.
 
 -----
 
-#### [cpe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py)
+#### [CPE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py)
 
 <img src=../logos/cve.png height=60>
 
@@ -263,6 +323,9 @@ An expansion module to query the CVE search API with a cpe code to get its relat
 >Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.
 >
 >In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
+- **config**:
+> - custom_API_URL
+> - limit
 - **input**:
 >CPE attribute.
 - **output**:
@@ -272,13 +335,15 @@ An expansion module to query the CVE search API with a cpe code to get its relat
 
 -----
 
-#### [crowdsec](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py)
+#### [CrowdSec CTI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py)
 
 <img src=../logos/crowdsec.png height=60>
 
 Hover module to lookup an IP in CrowdSec's CTI
 - **features**:
 >This module enables IP lookup from CrowdSec CTI API. It provides information about the IP, such as what kind of attacks it has been participant of as seen by CrowdSec's network. It also includes enrichment by CrowdSec like background noise score, aggressivity over time etc.
+- **config**:
+>api_key
 - **input**:
 >An IP address.
 - **output**:
@@ -292,15 +357,18 @@ Hover module to lookup an IP in CrowdSec's CTI
 
 -----
 
-#### [crowdstrike_falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py)
+#### [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py)
 
 <img src=../logos/crowdstrike.png height=60>
 
-Module to query Crowdstrike Falcon.
+Module to query CrowdStrike Falcon.
 - **features**:
 >This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.
 >
 >Please note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported.
+- **config**:
+> - api_id
+> - apikey
 - **input**:
 >A MISP attribute included in the following list:
 >- domain
@@ -346,14 +414,17 @@ Module to query Crowdstrike Falcon.
 
 -----
 
-#### [cuckoo_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py)
+#### [Cuckoo Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py)
 
 <img src=../logos/cuckoo.png height=60>
 
-An expansion module to submit files and URLs to Cuckoo Sandbox.
+Submit files and URLs to Cuckoo Sandbox
 - **features**:
 >The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.
 > The returned task id can be used to retrieve results when the analysis completed.
+- **config**:
+> - api_url
+> - api_key
 - **input**:
 >A malware-sample or attachment for files. A url or domain for URLs.
 - **output**:
@@ -366,13 +437,15 @@ An expansion module to submit files and URLs to Cuckoo Sandbox.
 
 -----
 
-#### [cve](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)
+#### [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)
 
 <img src=../logos/cve.png height=60>
 
 An expansion hover module to expand information about CVE id.
 - **features**:
 >The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs.
+- **config**:
+>custom_API
 - **input**:
 >Vulnerability attribute.
 - **output**:
@@ -383,7 +456,7 @@ An expansion hover module to expand information about CVE id.
 
 -----
 
-#### [cve_advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py)
+#### [CVE Advanced Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py)
 
 <img src=../logos/cve.png height=60>
 
@@ -394,6 +467,8 @@ An expansion module to query the CIRCL CVE search API for more information about
 >The result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.
 >
 >The vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects.
+- **config**:
+>custom_API
 - **input**:
 >Vulnerability attribute.
 - **output**:
@@ -404,13 +479,28 @@ An expansion module to query the CIRCL CVE search API for more information about
 
 -----
 
-#### [cytomic_orion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py)
+#### [Cytomic Orion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py)
 
 <img src=../logos/cytomic_orion.png height=60>
 
 An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
 - **features**:
 >This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines.
+- **config**:
+> - api_url
+> - token_url
+> - clientid
+> - clientsecret
+> - clientsecret
+> - username
+> - password
+> - upload_timeframe
+> - upload_tag
+> - delete_tag
+> - upload_ttlDays
+> - upload_threat_level_id
+> - limit_upload_events
+> - limit_upload_attributes
 - **input**:
 >MD5, hash of the sample / malware to search for.
 - **output**:
@@ -423,11 +513,11 @@ An expansion module to enrich attributes in MISP by quering the Cytomic Orion AP
 
 -----
 
-#### [dbl_spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py)
+#### [DBL Spamhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py)
 
 <img src=../logos/spamhaus.jpg height=60>
 
-Module to check Spamhaus DBL for a domain name.
+Checks Spamhaus DBL for a domain name.
 - **features**:
 >This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is.
 >
@@ -445,15 +535,17 @@ Module to check Spamhaus DBL for a domain name.
 
 -----
 
-#### [dns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)
+#### [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)
 
-A simple DNS expansion service to resolve IP address from domain MISP attributes.
+jj
 - **features**:
 >The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed.
 >
 >The address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).
 >
 >Please note that composite MISP attributes containing domain or hostname are supported as well.
+- **config**:
+>nameserver
 - **input**:
 >Domain or hostname attribute.
 - **output**:
@@ -463,7 +555,7 @@ A simple DNS expansion service to resolve IP address from domain MISP attributes
 
 -----
 
-#### [docx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py)
+#### [DOCX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py)
 
 <img src=../logos/docx.png height=60>
 
@@ -479,7 +571,7 @@ Module to extract freetext from a .docx document.
 
 -----
 
-#### [domaintools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py)
+#### [DomainTools Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py)
 
 <img src=../logos/domaintools.png height=60>
 
@@ -488,6 +580,9 @@ DomainTools MISP expansion module.
 >This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.
 >
 >Please note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported.
+- **config**:
+> - username
+> - api_key
 - **input**:
 >A MISP attribute included in the following list:
 >- domain
@@ -517,7 +612,7 @@ DomainTools MISP expansion module.
 
 -----
 
-#### [eql](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py)
+#### [EQL Query Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py)
 
 <img src=../logos/eql.png height=60>
 
@@ -533,7 +628,7 @@ EQL query generation for a MISP attribute.
 
 -----
 
-#### [eupi](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py)
+#### [EUPI Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py)
 
 <img src=../logos/eupi.png height=60>
 
@@ -542,6 +637,9 @@ A module to query the Phishing Initiative service (https://phishing-initiative.l
 >This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried.
 >
 >Please note that composite attributes containing domain or hostname are also supported.
+- **config**:
+> - apikey
+> - url
 - **input**:
 >A domain, hostname or url MISP attribute.
 - **output**:
@@ -554,7 +652,15 @@ A module to query the Phishing Initiative service (https://phishing-initiative.l
 
 -----
 
-#### [farsight_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py)
+#### [URL Components Extractor](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/extract_url_components.py)
+
+Extract URL components
+- **features**:
+>
+
+-----
+
+#### [Farsight DNSDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py)
 
 <img src=../logos/farsight.png height=60>
 
@@ -566,6 +672,11 @@ Module to access Farsight DNSDB Passive DNS.
 >An API key is required to submit queries to the API.
 >  It is also possible to define a custom server URL, and to set a limit of results to get.
 >  This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit).
+- **config**:
+> - apikey
+> - server
+> - limit
+> - flex_queries
 - **input**:
 >A domain, hostname or IP address MISP attribute.
 - **output**:
@@ -578,13 +689,17 @@ Module to access Farsight DNSDB Passive DNS.
 
 -----
 
-#### [geoip_asn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py)
+#### [GeoIP ASN Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py)
 
 <img src=../logos/maxmind.png height=60>
-- **descrption**:
->An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.
+
+Query a local copy of the Maxmind Geolite ASN database (MMDB format)
 - **features**:
 >The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number.
+- **config**:
+>local_geolite_db
+- **descrption**:
+>An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -596,13 +711,15 @@ Module to access Farsight DNSDB Passive DNS.
 
 -----
 
-#### [geoip_city](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py)
+#### [GeoIP City Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py)
 
 <img src=../logos/maxmind.png height=60>
 
 An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.
 - **features**:
 >The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located.
+- **config**:
+>local_geolite_db
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -614,15 +731,17 @@ An expansion module to query a local copy of Maxmind's Geolite database with an
 
 -----
 
-#### [geoip_country](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py)
+#### [GeoIP Country Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py)
 
 <img src=../logos/maxmind.png height=60>
 
-Module to query a local copy of Maxmind's Geolite database.
+Query a local copy of Maxminds Geolite database, updated for MMDB format
 - **features**:
 >This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address.
 >
 >Please note that composite attributes domain|ip are also supported.
+- **config**:
+>local_geolite_db
 - **input**:
 >An IP address MISP Attribute.
 - **output**:
@@ -634,11 +753,21 @@ Module to query a local copy of Maxmind's Geolite database.
 
 -----
 
-#### [google_search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py)
+#### [Google Safe Browsing Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_safe_browsing.py)
+
+Google safe browsing expansion module
+- **features**:
+>
+- **config**:
+>api_key
+
+-----
+
+#### [Google Search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py)
 
 <img src=../logos/google.png height=60>
-- **descrption**:
->A hover module to get information about an url using a Google search.
+
+An expansion hover module to expand google search information about an URL
 - **features**:
 >The module takes an url as input to query the Google search API. The result of the query is then return as raw text.
 - **input**:
@@ -652,7 +781,7 @@ Module to query a local copy of Maxmind's Geolite database.
 
 -----
 
-#### [google_threat_intelligence](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py)
+#### [Google Threat Intelligence Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py)
 
 <img src=../logos/google_threat_intelligence.png height=60>
 
@@ -661,6 +790,13 @@ An expansion module to have the observable's threat score assessed by Google Thr
 >GTI assessment for the given observable, this include information about level of severity, a clear verdict (malicious, suspicious, undetected and benign) and additional information provided by the Mandiant expertise combined with the VirusTotal database.
 >
 >[Output example screeshot](https://github.com/MISP/MISP/assets/4747608/e275db2f-bb1e-4413-8cc0-ec3cb05e0414)
+- **config**:
+> - apikey
+> - event_limit
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.
 - **output**:
@@ -673,13 +809,16 @@ An expansion module to have the observable's threat score assessed by Google Thr
 
 -----
 
-#### [greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py)
+#### [GreyNoise Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py)
 
 <img src=../logos/greynoise.png height=60>
 
 Module to query IP and CVE information from GreyNoise
 - **features**:
 >This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days.
+- **config**:
+> - api_key
+> - api_type
 - **input**:
 >An IP address or CVE ID
 - **output**:
@@ -693,7 +832,7 @@ Module to query IP and CVE information from GreyNoise
 
 -----
 
-#### [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py)
+#### [Hashdd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py)
 
 A hover module to check hashes against hashdd.com including NSLR dataset.
 - **features**:
@@ -707,7 +846,7 @@ A hover module to check hashes against hashdd.com including NSLR dataset.
 
 -----
 
-#### [hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py)
+#### [CIRCL Hashlookup Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py)
 
 <img src=../logos/circl.png height=60>
 
@@ -717,6 +856,8 @@ An expansion module to query the CIRCL hashlookup services to find it if a hash
 > It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.
 > The module can be used an hover module but also an expansion model to add related MISP objects.
 >
+- **config**:
+>custom_API
 - **input**:
 >File hashes (MD5, SHA1)
 - **output**:
@@ -726,13 +867,15 @@ An expansion module to query the CIRCL hashlookup services to find it if a hash
 
 -----
 
-#### [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py)
+#### [Have I Been Pwned Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py)
 
 <img src=../logos/hibp.png height=60>
 
 Module to access haveibeenpwned.com API.
 - **features**:
 >The module takes an email address as input and queries haveibeenpwned.com API to find additional information about it. This additional information actually tells if any account using the email address has already been compromised in a data breach.
+- **config**:
+>api_key
 - **input**:
 >An email address
 - **output**:
@@ -742,7 +885,7 @@ Module to access haveibeenpwned.com API.
 
 -----
 
-#### [html_to_markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py)
+#### [HTML to Markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py)
 
 Expansion module to fetch the html content from an url and convert it into markdown.
 - **features**:
@@ -756,7 +899,7 @@ Expansion module to fetch the html content from an url and convert it into markd
 
 -----
 
-#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
+#### [HYAS Insight Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
 
 <img src=../logos/hyas.png height=60>
 
@@ -767,6 +910,8 @@ HYAS Insight integration to MISP provides direct, high volume access to HYAS Ins
 >
 >An API key is required to submit queries to the HYAS Insight API.
 >
+- **config**:
+>apikey
 - **input**:
 >A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)
 - **output**:
@@ -778,13 +923,18 @@ HYAS Insight integration to MISP provides direct, high volume access to HYAS Ins
 
 -----
 
-#### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
+#### [Intel471 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
 
 <img src=../logos/intel471.png height=60>
-- **descrption**:
->An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.
+
+Module to access Intel 471
 - **features**:
 >The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it.
+- **config**:
+> - email
+> - authkey
+- **descrption**:
+>An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.
 - **input**:
 >A MISP attribute whose type is included in the following list:
 >- hostname
@@ -809,29 +959,7 @@ HYAS Insight integration to MISP provides direct, high volume access to HYAS Ins
 
 -----
 
-#### [intelmq_eventdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intelmq_eventdb.py)
-
-<img src=../logos/intelmq.png height=60>
-
-Module to access intelmqs eventdb.
-- **features**:
->/!\ EXPERIMENTAL MODULE, some features may not work /!\
->
->This module takes a domain, hostname, IP address or Autonomous system MISP attribute as input to query the IntelMQ database. The result of the query gives then additional information about the input.
-- **input**:
->A hostname, domain, IP address or AS attribute.
-- **output**:
->Text giving information about the input using IntelMQ database.
-- **references**:
-> - https://github.com/certtools/intelmq
-> - https://intelmq.readthedocs.io/en/latest/Developers-Guide/
-- **requirements**:
-> - psycopg2: Python library to support PostgreSQL
-> - An access to the IntelMQ database (username, password, hostname and database reference)
-
------
-
-#### [ip2locationio](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py)
+#### [IP2Location.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py)
 
 <img src=../logos/ip2locationio.png height=60>
 
@@ -842,6 +970,8 @@ An expansion module to query IP2Location.io to gather more information on a give
 > Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan. 
 >
 >More information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation).
+- **config**:
+>key
 - **input**:
 >IP address attribute.
 - **output**:
@@ -853,7 +983,7 @@ An expansion module to query IP2Location.io to gather more information on a give
 
 -----
 
-#### [ipasn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py)
+#### [IPASN-History Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py)
 
 Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
 - **features**:
@@ -869,7 +999,7 @@ Module to query an IP ASN history service (https://github.com/D4-project/IPASN-H
 
 -----
 
-#### [ipinfo](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py)
+#### [IPInfo.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py)
 
 <img src=../logos/ipinfo.png height=60>
 
@@ -883,6 +1013,8 @@ An expansion module to query ipinfo.io to gather more information on a given IP
 >- With a paid subscription, the AS information is returned in the `asn` field with additional AS information, and depending on which plan the user has, you can also get information on the privacy method used to protect the IP address, the related domains, or the point of contact related to the IP address in case of an abuse.
 >
 >More information on the responses content is available in the [documentation](https://ipinfo.io/developers).
+- **config**:
+>token
 - **input**:
 >IP address attribute.
 - **output**:
@@ -894,7 +1026,7 @@ An expansion module to query ipinfo.io to gather more information on a given IP
 
 -----
 
-#### [ipqs_fraud_and_risk_scoring](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py)
+#### [IPQualityScore Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py)
 
 <img src=../logos/ipqualityscore.png height=60>
 
@@ -903,6 +1035,8 @@ IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone
 >This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.
 > The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. 
 > The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore.
+- **config**:
+>apikey
 - **input**:
 >A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).
 - **output**:
@@ -914,11 +1048,13 @@ IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone
 
 -----
 
-#### [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py)
+#### [IPRep Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py)
 
 Module to query IPRep data for IP addresses.
 - **features**:
 >This module takes an IP address attribute as input and queries the database from packetmail.net to get some information about the reputation of the IP.
+- **config**:
+>apikey
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -930,13 +1066,19 @@ Module to query IPRep data for IP addresses.
 
 -----
 
-#### [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py)
+#### [Ninja Template Rendering](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/jinja_template_rendering.py)
+
+Render the template with the data passed
+- **features**:
+>
+
+-----
+
+#### [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py)
 
 <img src=../logos/joesandbox.png height=60>
 
 Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
-
-This url can by the way come from the result of the [joesandbox_submit expansion module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py).
 - **features**:
 >Module using the new format of modules able to return attributes and objects.
 >
@@ -945,6 +1087,11 @@ This url can by the way come from the result of the [joesandbox_submit expansion
 >Even if the introspection will allow all kinds of links to call this module, obviously only the ones presenting a sample or url submission in the Joe Sandbox API will return results.
 >
 >To make it work you will need to fill the 'apikey' configuration with your Joe Sandbox API key and provide a valid link as input.
+- **config**:
+> - apiurl
+> - apikey
+> - import_executable
+> - import_mitre_attack
 - **input**:
 >Link of a Joe Sandbox sample or url submission.
 - **output**:
@@ -957,7 +1104,7 @@ This url can by the way come from the result of the [joesandbox_submit expansion
 
 -----
 
-#### [joesandbox_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py)
+#### [Joe Sandbox Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py)
 
 <img src=../logos/joesandbox.png height=60>
 
@@ -966,6 +1113,12 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
 >The module requires a Joe Sandbox API key to submit files or URL, and returns the link of the submitted analysis.
 >
 >It is then possible, when the analysis is completed, to query the Joe Sandbox API to get the data related to the analysis, using the [joesandbox_query module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) directly on this submission link.
+- **config**:
+> - apiurl
+> - apikey
+> - accept-tac
+> - report-cache
+> - systems
 - **input**:
 >Sample, url (or domain) to submit to Joe Sandbox for an advanced analysis.
 - **output**:
@@ -978,18 +1131,21 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
 
 -----
 
-#### [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py)
+#### [Lastline Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py)
 
 <img src=../logos/lastline.png height=60>
 
 Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
 Query Lastline with an analysis link and parse the report into MISP attributes and objects.
-The analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) expansion module.
 - **features**:
 >The module requires a Lastline Portal `username` and `password`.
 >The module uses the new format and it is able to return MISP attributes and objects.
 >The module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) import module.
+- **config**:
+> - username
+> - password
+> - verify_ssl
 - **input**:
 >Link to a Lastline analysis.
 - **output**:
@@ -999,7 +1155,7 @@ The analysis link can also be retrieved from the output of the [lastline_submit]
 
 -----
 
-#### [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py)
+#### [Lastline Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py)
 
 <img src=../logos/lastline.png height=60>
 
@@ -1009,6 +1165,10 @@ Module to submit a file or URL to Lastline.
 - **features**:
 >The module requires a Lastline Analysis `api_token` and `key`.
 >When the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) module.
+- **config**:
+> - url
+> - api_token
+> - key
 - **input**:
 >File or URL to submit to Lastline.
 - **output**:
@@ -1018,7 +1178,7 @@ Module to submit a file or URL to Lastline.
 
 -----
 
-#### [macaddress_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py)
+#### [Macaddress.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py)
 
 <img src=../logos/macaddress_io.png height=60>
 
@@ -1030,6 +1190,8 @@ MISP hover module for macaddress.io
 >- MAC address details
 >- Vendor details
 >- Block details
+- **config**:
+>api_key
 - **input**:
 >MAC address MISP attribute.
 - **output**:
@@ -1043,13 +1205,15 @@ MISP hover module for macaddress.io
 
 -----
 
-#### [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py)
+#### [Macvendors Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py)
 
 <img src=../logos/macvendors.png height=60>
 
 Module to access Macvendors API.
 - **features**:
 >The module takes a MAC address as input and queries macvendors.com for some information about it. The API returns the name of the vendor related to the address.
+- **config**:
+>user-agent
 - **input**:
 >A MAC address.
 - **output**:
@@ -1060,9 +1224,9 @@ Module to access Macvendors API.
 
 -----
 
-#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py)
+#### [Malware Bazaar Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py)
 
-Query the MALWAREbazaar API to get additional information about the input hash attribute.
+Query Malware Bazaar to get additional information about the input hash.
 - **features**:
 >The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.
 >
@@ -1076,7 +1240,19 @@ Query the MALWAREbazaar API to get additional information about the input hash a
 
 -----
 
-#### [mmdb_lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py)
+#### [McAfee MVISION Insights Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py)
+
+Lookup McAfee MVISION Insights Details
+- **features**:
+>
+- **config**:
+> - api_key
+> - client_id
+> - client_secret
+
+-----
+
+#### [GeoIP Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py)
 
 <img src=../logos/circl.png height=60>
 
@@ -1085,6 +1261,9 @@ A hover and expansion module to enrich an ip with geolocation and ASN informatio
 >The module takes an IP address related attribute as input.
 > It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required.
 > It is also possible to filter results on 1 db_source by configuring db_source_filter.
+- **config**:
+> - custom_API
+> - db_source_filter
 - **input**:
 >An IP address attribute (for example ip-src or ip-src|port).
 - **output**:
@@ -1095,11 +1274,18 @@ A hover and expansion module to enrich an ip with geolocation and ASN informatio
 
 -----
 
-#### [mwdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py)
+#### [MWDB Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py)
 
 Module to push malware samples to a MWDB instance
 - **features**:
 >An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute.  * A link to the MWDB attribute is added as an enrichted attribute to the MISP event.
+- **config**:
+> - mwdb_apikey
+> - mwdb_url
+> - mwdb_misp_attribute
+> - mwdb_public
+> - include_tags_event
+> - include_tags_attribute
 - **input**:
 >Attachment or malware sample
 - **output**:
@@ -1109,7 +1295,7 @@ Module to push malware samples to a MWDB instance
 
 -----
 
-#### [ocr_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py)
+#### [OCR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py)
 
 Module to process some optical character recognition on pictures.
 - **features**:
@@ -1123,7 +1309,7 @@ Module to process some optical character recognition on pictures.
 
 -----
 
-#### [ods_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py)
+#### [ODS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py)
 
 <img src=../logos/ods.png height=60>
 
@@ -1140,7 +1326,7 @@ Module to extract freetext from a .ods document.
 
 -----
 
-#### [odt_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py)
+#### [ODT Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py)
 
 <img src=../logos/odt.png height=60>
 
@@ -1156,13 +1342,15 @@ Module to extract freetext from a .odt document.
 
 -----
 
-#### [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py)
+#### [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py)
 
 <img src=../logos/onyphe.jpg height=60>
 
 Module to process a query on Onyphe.
 - **features**:
 >This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or IP address MISP attribute.
 - **output**:
@@ -1176,7 +1364,7 @@ Module to process a query on Onyphe.
 
 -----
 
-#### [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py)
+#### [Onyphe Full Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py)
 
 <img src=../logos/onyphe.jpg height=60>
 
@@ -1185,6 +1373,8 @@ Module to process a full query on Onyphe.
 >This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.
 >
 >The parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or IP address MISP attribute.
 - **output**:
@@ -1198,13 +1388,15 @@ Module to process a full query on Onyphe.
 
 -----
 
-#### [otx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py)
+#### [AlienVault OTX Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py)
 
 <img src=../logos/otx.png height=60>
 
 Module to get information from AlienVault OTX.
 - **features**:
 >This module takes a MISP attribute as input to query the OTX Alienvault API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.
+- **config**:
+>apikey
 - **input**:
 >A MISP attribute included in the following list:
 >- hostname
@@ -1233,32 +1425,28 @@ Module to get information from AlienVault OTX.
 
 -----
 
-#### [passivessh](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivessh.py)
+#### [Passive SSH Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passive_ssh.py)
 
-<img src=../logos/passivessh.png height=60>
-
-An expansion module to query the CIRCL Passive SSH.
+An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh
 - **features**:
->The module queries the Passive SSH service from CIRCL.
-> 
-> The module can be used an hover module but also an expansion model to add related MISP objects.
 >
-- **input**:
->IP addresses or SSH fingerprints
-- **output**:
->SSH key materials, complementary IP addresses with similar SSH key materials
-- **references**:
->https://github.com/D4-project/passive-ssh
+- **config**:
+> - custom_api_url
+> - api_user
+> - api_key
 
 -----
 
-#### [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py)
+#### [PassiveTotal Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py)
 
 <img src=../logos/passivetotal.png height=60>
 
-
+The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
 - **features**:
 >The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
+- **config**:
+> - username
+> - api_key
 - **input**:
 >A MISP attribute included in the following list:
 >- hostname
@@ -1303,7 +1491,7 @@ An expansion module to query the CIRCL Passive SSH.
 
 -----
 
-#### [pdf_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py)
+#### [PDF Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py)
 
 <img src=../logos/pdf.jpg height=60>
 
@@ -1319,7 +1507,7 @@ Module to extract freetext from a PDF document.
 
 -----
 
-#### [pptx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py)
+#### [PPTX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py)
 
 <img src=../logos/pptx.png height=60>
 
@@ -1335,13 +1523,16 @@ Module to extract freetext from a .pptx document.
 
 -----
 
-#### [qintel_qsentry](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py)
+#### [Qintel QSentry Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py)
 
 <img src=../logos/qintel.png height=60>
 
 A hover and expansion module which queries Qintel QSentry for ip reputation data
 - **features**:
 >This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data
+- **config**:
+> - token
+> - remote
 - **input**:
 >ip address attribute
 - **ouput**:
@@ -1353,7 +1544,7 @@ A hover and expansion module which queries Qintel QSentry for ip reputation data
 
 -----
 
-#### [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py)
+#### [QR Code Decode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py)
 
 Module to decode QR codes.
 - **features**:
@@ -1368,13 +1559,17 @@ Module to decode QR codes.
 
 -----
 
-#### [ransomcoindb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py)
-- **descrption**:
->Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.
+#### [RandomcoinDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py)
+
+Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
 - **features**:
 >The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data.
 >
 >If the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes.
+- **config**:
+>api-key
+- **descrption**:
+>Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.
 - **input**:
 >A hash (md5, sha1 or sha256) or btc attribute.
 - **output**:
@@ -1386,13 +1581,15 @@ Module to decode QR codes.
 
 -----
 
-#### [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py)
+#### [Real-time Blackhost Lists Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py)
 
 Module to check an IPv4 address against known RBLs.
 - **features**:
 >This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.
 >
 >We display then all the information we get from those different sources.
+- **config**:
+>timeout
 - **input**:
 >IP address attribute.
 - **output**:
@@ -1404,13 +1601,19 @@ Module to check an IPv4 address against known RBLs.
 
 -----
 
-#### [recordedfuture](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py)
+#### [Recorded Future Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py)
 
 <img src=../logos/recordedfuture.png height=60>
 
 Module to enrich attributes with threat intelligence from Recorded Future.
 - **features**:
 >Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes.
+- **config**:
+> - token
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.
 - **output**:
@@ -1422,7 +1625,7 @@ Module to enrich attributes with threat intelligence from Recorded Future.
 
 -----
 
-#### [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py)
+#### [Reverse DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py)
 
 Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
 - **features**:
@@ -1431,6 +1634,8 @@ Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes
 >The address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).
 >
 >Please note that composite MISP attributes containing IP addresses are supported as well.
+- **config**:
+>nameserver
 - **input**:
 >An IP address attribute.
 - **output**:
@@ -1440,7 +1645,7 @@ Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes
 
 -----
 
-#### [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py)
+#### [SecurityTrails Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py)
 
 <img src=../logos/securitytrails.png height=60>
 
@@ -1451,6 +1656,8 @@ An expansion modules for SecurityTrails.
 >Multiple parsing operations are then processed on the result of the query to extract a much information as possible.
 >
 >From this data extracted are then mapped MISP attributes.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or IP address attribute.
 - **output**:
@@ -1474,13 +1681,15 @@ An expansion modules for SecurityTrails.
 
 -----
 
-#### [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py)
+#### [Shodan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py)
 
 <img src=../logos/shodan.png height=60>
 
 Module to query on Shodan.
 - **features**:
 >The module takes an IP address as input and queries the Shodan API to get some additional data about it.
+- **config**:
+>apikey
 - **input**:
 >An IP address MISP attribute.
 - **output**:
@@ -1493,7 +1702,7 @@ Module to query on Shodan.
 
 -----
 
-#### [sigma_queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py)
+#### [Sigma Rule Converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py)
 
 <img src=../logos/sigma.png height=60>
 
@@ -1511,7 +1720,7 @@ An expansion hover module to display the result of sigma queries.
 
 -----
 
-#### [sigma_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py)
+#### [Sigma Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py)
 
 <img src=../logos/sigma.png height=60>
 
@@ -1532,25 +1741,15 @@ An expansion hover module to perform a syntax check on sigma rules.
 
 -----
 
-#### [sigmf-expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf-expand.py)
+#### [SigMF Expansion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf_expand.py)
 
-Enrichs a SigMF Recording or extracts a SigMF Archive into a SigMF Recording.
+Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.
 - **features**:
->This module can be used to expand a SigMF Recording object into a SigMF Expanded Recording object with a waterfall plot or to extract a SigMF Archive object into a SigMF Recording objet.
-- **input**:
->Object of sigmf-archive or sigmf-recording template.
-- **output**:
->Object of sigmf-expanded-recording or sigmf-recording template.
-- **references**:
->https://github.com/sigmf/SigMF
-- **requirements**:
-> - matplotlib: For plotting the waterfall plot of the recording.
-> - numpy: For the waterfall plot of the recording.
-> - sigmf: For validating SigMF files.
+>
 
 -----
 
-#### [socialscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py)
+#### [Socialscan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py)
 
 A hover module to get information on the availability of an email address or username on some online platforms.
 - **features**:
@@ -1566,13 +1765,16 @@ A hover module to get information on the availability of an email address or use
 
 -----
 
-#### [sophoslabs_intelix](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py)
+#### [SophosLabs Intelix Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py)
 
 <img src=../logos/sophoslabs_intelix.svg height=60>
 
 An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.
 - **features**:
 >The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object.
+- **config**:
+> - client_id
+> - client_secret
 - **input**:
 >An ip address, url, domain or sha256 attribute.
 - **output**:
@@ -1584,11 +1786,13 @@ An expansion module to query the Sophoslabs intelix API to get additional inform
 
 -----
 
-#### [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py)
+#### [URL Archiver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py)
 
 Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.
 - **features**:
 >This module takes a link or url attribute as input and caches the related web page. It returns then a link of the cached page.
+- **config**:
+>archivepath
 - **input**:
 >A link or url attribute.
 - **output**:
@@ -1600,13 +1804,15 @@ Module to cache web pages of analysis reports, OSINT sources. The module returns
 
 -----
 
-#### [stairwell](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py)
+#### [Stairwell Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py)
 
 <img src=../logos/stairwell.png height=60>
 
 Module to query the Stairwell API to get additional information about the input hash attribute
 - **features**:
 >The module takes a hash attribute as input and queries Stariwell's API to fetch additional data about it. The result, if the payload is observed in Stariwell, is a file object describing the file the input hash is related to.
+- **config**:
+>apikey
 - **input**:
 >A hash attribute (md5, sha1, sha256).
 - **output**:
@@ -1619,7 +1825,7 @@ Module to query the Stairwell API to get additional information about the input
 
 -----
 
-#### [stix2_pattern_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py)
+#### [STIX2 Pattern Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py)
 
 <img src=../logos/stix.png height=60>
 
@@ -1639,7 +1845,7 @@ An expansion hover module to perform a syntax check on stix2 patterns.
 
 -----
 
-#### [threatcrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py)
+#### [ThreatCrowd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py)
 
 <img src=../logos/threatcrowd.png height=60>
 
@@ -1676,7 +1882,15 @@ Module to get information from ThreatCrowd.
 
 -----
 
-#### [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py)
+#### [ThreadFox Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatfox.py)
+
+Module to search for an IOC on ThreatFox by abuse.ch.
+- **features**:
+>
+
+-----
+
+#### [ThreatMiner Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py)
 
 <img src=../logos/threatminer.png height=60>
 
@@ -1716,7 +1930,7 @@ Module to get information from ThreatMiner.
 
 -----
 
-#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py)
+#### [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py)
 
 <img src=../logos/trustar.png height=60>
 
@@ -1725,6 +1939,10 @@ Module to get enrich indicators with TruSTAR.
 >This module enriches MISP attributes with scoring and metadata from TruSTAR.
 >
 >The TruSTAR indicator summary is appended to the attributes along with links to any associated reports.
+- **config**:
+> - user_api_key
+> - user_api_secret
+> - enclave_ids
 - **input**:
 >Any of the following MISP attributes:
 >- btc
@@ -1745,7 +1963,7 @@ Module to get enrich indicators with TruSTAR.
 
 -----
 
-#### [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py)
+#### [URLhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py)
 
 <img src=../logos/urlhaus.png height=60>
 
@@ -1763,7 +1981,7 @@ Query of the URLhaus API to get additional information about the input attribute
 
 -----
 
-#### [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py)
+#### [URLScan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py)
 
 <img src=../logos/urlscan.jpg height=60>
 
@@ -1772,6 +1990,8 @@ An expansion module to query urlscan.io.
 >This module takes a MISP attribute as input and queries urlscan.io with it.
 >
 >The result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute.
+- **config**:
+>apikey
 - **input**:
 >A domain, hostname or url attribute.
 - **output**:
@@ -1783,7 +2003,7 @@ An expansion module to query urlscan.io.
 
 -----
 
-#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
+#### [VARIoT db Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
 
 <img src=../logos/variot.png height=60>
 
@@ -1794,6 +2014,8 @@ An expansion module to query the VARIoT db API for more information about a vuln
 >The `vuln` endpoint is queried first to look for additional information about the vulnerability itself.
 >
 >The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template.
+- **config**:
+>API_key
 - **input**:
 >Vulnerability attribute.
 - **output**:
@@ -1805,11 +2027,11 @@ An expansion module to query the VARIoT db API for more information about a vuln
 
 -----
 
-#### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
+#### [VirusTotal v3 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
 
 <img src=../logos/virustotal.png height=60>
 
-Module to get advanced information from virustotal.
+Enrich observables with the VirusTotal v3 API
 - **features**:
 >New format of modules able to return attributes and objects.
 >
@@ -1818,6 +2040,13 @@ Module to get advanced information from virustotal.
 >Compared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal_public.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.
 >
 >Thus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them.
+- **config**:
+> - apikey
+> - event_limit
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.
 - **output**:
@@ -1830,11 +2059,11 @@ Module to get advanced information from virustotal.
 
 -----
 
-#### [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py)
+#### [VirusTotal Public API Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py)
 
 <img src=../logos/virustotal.png height=60>
 
-Module to get information from VirusTotal.
+Enrich observables with the VirusTotal v3 public API
 - **features**:
 >New format of modules able to return attributes and objects.
 >
@@ -1843,6 +2072,12 @@ Module to get information from VirusTotal.
 >Compared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.
 >
 >Thus, it only queries the API once and returns the results that is parsed into MISP attributes and objects.
+- **config**:
+> - apikey
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.
 - **output**:
@@ -1855,7 +2090,7 @@ Module to get information from VirusTotal.
 
 -----
 
-#### [vmray_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py)
+#### [VMRay Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py)
 
 <img src=../logos/vmray.png height=60>
 
@@ -1864,6 +2099,12 @@ Module to submit a sample to VMRay.
 >This module takes an attachment or malware-sample attribute as input to query the VMRay API.
 >
 >The sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes.
+- **config**:
+> - apikey
+> - url
+> - shareable
+> - do_not_reanalyze
+> - do_not_include_vmrayjobids
 - **input**:
 >An attachment or malware-sample attribute.
 - **output**:
@@ -1880,7 +2121,7 @@ Module to submit a sample to VMRay.
 
 -----
 
-#### [vmware_nsx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py)
+#### [VMware NSX Defender Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py)
 
 <img src=../logos/vmware_nsx.png height=60>
 
@@ -1889,6 +2130,15 @@ Module to enrich a file or URL with VMware NSX Defender.
 >This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender.
 >
 >The IoC is then enriched with data from VMware NSX Defender.
+- **config**:
+> - analysis_url
+> - analysis_verify_ssl
+> - analysis_key
+> - analysis_api_token
+> - vt_key
+> - misp_url
+> - misp_verify_ssl
+> - misp_key
 - **input**:
 >File hash, attachment or URL to be enriched with VMware NSX Defender.
 - **output**:
@@ -1900,7 +2150,7 @@ Module to enrich a file or URL with VMware NSX Defender.
 
 -----
 
-#### [vulndb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py)
+#### [VulnDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py)
 
 <img src=../logos/vulndb.png height=60>
 
@@ -1909,6 +2159,15 @@ Module to query VulnDB (RiskBasedSecurity.com).
 >This module takes a vulnerability attribute as input and queries VulnDB in order to get some additional data about it.
 >
 >The API gives the result of the query which can be displayed in the screen, and/or mapped into MISP attributes to add in the event.
+- **config**:
+> - apikey
+> - apisecret
+> - discard_dates
+> - discard_external_references
+> - discard_cvss
+> - discard_productinformation
+> - discard_classification
+> - discard_cpe
 - **input**:
 >A vulnerability attribute.
 - **output**:
@@ -1920,7 +2179,15 @@ Module to query VulnDB (RiskBasedSecurity.com).
 
 -----
 
-#### [vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py)
+#### [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py)
+
+An expansion module to query Vulnerability Lookup
+- **features**:
+>
+
+-----
+
+#### [Vulners Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py)
 
 <img src=../logos/vulners.png height=60>
 
@@ -1929,6 +2196,8 @@ An expansion hover module to expand information about CVE id using Vulners API.
 >This module takes a vulnerability attribute as input and queries the Vulners API in order to get some additional data about it.
 >
 >The API then returns details about the vulnerability.
+- **config**:
+>apikey
 - **input**:
 >A vulnerability attribute.
 - **output**:
@@ -1941,13 +2210,20 @@ An expansion hover module to expand information about CVE id using Vulners API.
 
 -----
 
-#### [vysion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py)
+#### [Vysion Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py)
 
 <img src=../logos/vysion.png height=60>
 
 Module to enrich the information by making use of the Vysion API.
 - **features**:
 >This module gets correlated information from Byron Labs' dark web intelligence database. With this you will get several objects containing information related to, for example, an organization victim of a ransomware attack.
+- **config**:
+> - apikey
+> - event_limit
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >company(target-org), country, info, BTC, XMR and DASH address.
 - **output**:
@@ -1962,11 +2238,14 @@ Module to enrich the information by making use of the Vysion API.
 
 -----
 
-#### [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py)
+#### [Whois Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py)
 
 Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
 - **features**:
 >This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server).
+- **config**:
+> - server
+> - port
 - **input**:
 >A domain or IP address attribute.
 - **output**:
@@ -1978,19 +2257,19 @@ Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
 
 -----
 
-#### [whoisfreaks](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py)
+#### [WhoisFreaks Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py)
 
 <img src=../logos/whoisfreaks.png height=60>
 
 An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
-Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security. 
-Explore our website's product section at https://whoisfreaks.com/ for a wide range of additional services catering to threat intelligence and attack surface analysis needs.
 - **features**:
 >The module takes a domain as input and queries the Whoisfreaks API with it.
 >
 >Some parsing operations are then processed on the result of the query to extract as much information as possible.
 >
 >After this we map the extracted data to MISP attributes.
+- **config**:
+>apikey
 - **input**:
 >A domain whose Data is required
 - **output**:
@@ -2010,7 +2289,7 @@ Explore our website's product section at https://whoisfreaks.com/ for a wide ran
 
 -----
 
-#### [wiki](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py)
+#### [Wikidata Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py)
 
 <img src=../logos/wikidata.png height=60>
 
@@ -2028,13 +2307,16 @@ An expansion hover module to extract information from Wikidata to have additiona
 
 -----
 
-#### [xforceexchange](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py)
+#### [IBM X-Force Exchange Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py)
 
 <img src=../logos/xforce.png height=60>
 
 An expansion module for IBM X-Force Exchange.
 - **features**:
 >This module takes a MISP attribute as input to query the X-Force API. The API returns then additional information known in their threats data, that is mapped into MISP attributes.
+- **config**:
+> - apikey
+> - apipassword
 - **input**:
 >A MISP attribute included in the following list:
 >- ip-src
@@ -2052,7 +2334,7 @@ An expansion module for IBM X-Force Exchange.
 
 -----
 
-#### [xlsx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py)
+#### [XLXS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py)
 
 <img src=../logos/xlsx.png height=60>
 
@@ -2068,11 +2350,11 @@ Module to extract freetext from a .xlsx document.
 
 -----
 
-#### [yara_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py)
+#### [YARA Rule Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py)
 
 <img src=../logos/yara.png height=60>
 
-An expansion & hover module to translate any hash attribute into a yara rule.
+jj
 - **features**:
 >The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.
 >Both hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.
@@ -2083,12 +2365,14 @@ An expansion & hover module to translate any hash attribute into a yara rule.
 - **references**:
 > - https://virustotal.github.io/yara/
 > - https://github.com/virustotal/yara-python
+- **require_standard_format**:
+>True
 - **requirements**:
 >yara-python python library
 
 -----
 
-#### [yara_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py)
+#### [YARA Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py)
 
 <img src=../logos/yara.png height=60>
 
@@ -2106,13 +2390,16 @@ An expansion hover module to perform a syntax check on if yara rules are valid o
 
 -----
 
-#### [yeti](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py)
+#### [Yeti Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py)
 
 <img src=../logos/yeti.png height=60>
 
 Module to process a query on Yeti.
 - **features**:
 >This module add context and links between observables using yeti
+- **config**:
+> - apikey
+> - url
 - **input**:
 >A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.
 - **output**:
diff --git a/documentation/mkdocs/export_mod.md b/documentation/mkdocs/export_mod.md
index ddebbefc..93591fc5 100644
--- a/documentation/mkdocs/export_mod.md
+++ b/documentation/mkdocs/export_mod.md
@@ -1,10 +1,15 @@
 
-#### [cef_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py)
+#### [CEF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py)
 
 Module to export a MISP event in CEF format.
 - **features**:
 >The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.
 >Thus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.
+- **config**:
+> - Default_Severity
+> - Device_Vendor
+> - Device_Product
+> - Device_Version
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -14,13 +19,19 @@ Module to export a MISP event in CEF format.
 
 -----
 
-#### [cisco_firesight_manager_ACL_rule_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py)
+#### [Cisco fireSIGHT blockrule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py)
 
 <img src=../logos/cisco.png height=60>
 
 Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
 - **features**:
 >The module goes through the attributes to find all the network activity ones in order to create block rules for the Cisco fireSIGHT manager.
+- **config**:
+> - fmc_ip_addr
+> - fmc_login
+> - fmc_pass
+> - domain_id
+> - acpolicy_id
 - **input**:
 >Network activity attributes (IPs, URLs).
 - **output**:
@@ -30,13 +41,15 @@ Module to export malicious network activity attributes to Cisco fireSIGHT manage
 
 -----
 
-#### [defender_endpoint_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py)
+#### [Microsoft Defender for Endpoint KQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py)
 
 <img src=../logos/defender_endpoint.png height=60>
 
 Defender for Endpoint KQL hunting query export module
 - **features**:
 >This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC.
+- **config**:
+>Period
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -46,7 +59,7 @@ Defender for Endpoint KQL hunting query export module
 
 -----
 
-#### [goamlexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py)
+#### [GoAML Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py)
 
 <img src=../logos/goAML.jpg height=60>
 
@@ -70,23 +83,29 @@ This module is used to export MISP events containing transaction objects into Go
 >	- 'entity': Entity owning the bank account - optional.
 >- person:
 >	- 'address': Address of a person - optional.
+- **config**:
+>rentity_id
 - **input**:
 >MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.
 - **output**:
 >GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).
 - **references**:
 >http://goaml.unodc.org/
+- **require_standard_format**:
+>True
 - **requirements**:
 > - PyMISP
 > - MISP objects
 
 -----
 
-#### [liteexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py)
+#### [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py)
 
 Lite export of a MISP event.
 - **features**:
 >This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.
+- **config**:
+>indent_json_export
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -94,11 +113,11 @@ Lite export of a MISP event.
 
 -----
 
-#### [mass_eql_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py)
+#### [EQL Query Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py)
 
 <img src=../logos/eql.png height=60>
 
-Mass EQL query export for a MISP event.
+Export MISP event in Event Query Language
 - **features**:
 >This module produces EQL queries for all relevant attributes in a MISP event.
 - **input**:
@@ -110,13 +129,15 @@ Mass EQL query export for a MISP event.
 
 -----
 
-#### [nexthinkexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py)
+#### [Nexthink NXQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py)
 
 <img src=../logos/nexthink.svg height=60>
 
 Nexthink NXQL query export module
 - **features**:
 >This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell
+- **config**:
+>Period
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -126,7 +147,7 @@ Nexthink NXQL query export module
 
 -----
 
-#### [osqueryexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py)
+#### [OSQuery Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py)
 
 <img src=../logos/osquery.png height=60>
 
@@ -140,7 +161,7 @@ OSQuery export of a MISP event.
 
 -----
 
-#### [pdfexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py)
+#### [Event to PDF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py)
 
 Simple export of a MISP event to PDF.
 - **features**:
@@ -151,25 +172,29 @@ Simple export of a MISP event to PDF.
 >  'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !
 >  'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.
 >  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option 
+- **config**:
+> - MISP_base_url_for_dynamic_link
+> - MISP_name_for_metadata
+> - Activate_textual_description
+> - Activate_galaxy_description
+> - Activate_related_events
+> - Activate_internationalization_fonts
+> - Custom_fonts_path
 - **input**:
 >MISP Event
 - **output**:
 >MISP Event in a PDF file.
 - **references**:
 >https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html
+- **require_standard_format**:
+>True
 - **requirements**:
 > - PyMISP
 > - reportlab
 
 -----
 
-#### [testexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/testexport.py)
-
-Skeleton export module.
-
------
-
-#### [threatStream_misp_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py)
+#### [ThreatStream Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py)
 
 <img src=../logos/threatstream.png height=60>
 
@@ -188,7 +213,7 @@ Module to export a structured CSV file for uploading to threatStream.
 
 -----
 
-#### [threat_connect_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py)
+#### [ThreadConnect Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py)
 
 <img src=../logos/threatconnect.png height=60>
 
@@ -196,6 +221,8 @@ Module to export a structured CSV file for uploading to ThreatConnect.
 - **features**:
 >The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.
 >Users should then provide, as module configuration, the source of data they export, because it is required by the output format.
+- **config**:
+>Default_Source
 - **input**:
 >MISP Event attributes
 - **output**:
@@ -207,13 +234,19 @@ Module to export a structured CSV file for uploading to ThreatConnect.
 
 -----
 
-#### [virustotal_collections](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py)
+#### [VirusTotal Collections Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py)
 
 <img src=../logos/virustotal.png height=60>
 
 Creates a VT Collection from an event iocs.
 - **features**:
 >This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button.
+- **config**:
+> - vt_api_key
+> - proxy_host
+> - proxy_port
+> - proxy_username
+> - proxy_password
 - **input**:
 >A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute.
 - **output**:
@@ -226,7 +259,7 @@ Creates a VT Collection from an event iocs.
 
 -----
 
-#### [vt_graph](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py)
+#### [VirusTotal Graph Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py)
 
 <img src=../logos/virustotal.png height=60>
 
@@ -235,6 +268,16 @@ This module is used to create a VirusTotal Graph from a MISP event.
 >The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.
 >
 >Once the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.
+- **config**:
+> - vt_api_key
+> - fetch_information
+> - private
+> - fetch_vt_enterprise
+> - expand_one_level
+> - user_editors
+> - user_viewers
+> - group_editors
+> - group_viewers
 - **input**:
 >A MISP event.
 - **output**:
@@ -246,7 +289,7 @@ This module is used to create a VirusTotal Graph from a MISP event.
 
 -----
 
-#### [yara_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py)
+#### [YARA Rule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py)
 
 <img src=../logos/yara.png height=60>
 
diff --git a/documentation/mkdocs/import_mod.md b/documentation/mkdocs/import_mod.md
index 8b6fcdf9..d84b348a 100644
--- a/documentation/mkdocs/import_mod.md
+++ b/documentation/mkdocs/import_mod.md
@@ -1,5 +1,5 @@
 
-#### [cof2misp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py)
+#### [PDNS COF Importer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py)
 
 Passive DNS Common Output Format (COF) MISP importer
 - **features**:
@@ -15,7 +15,7 @@ Passive DNS Common Output Format (COF) MISP importer
 
 -----
 
-#### [csvimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py)
+#### [CSV Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py)
 
 Module to import MISP attributes from a csv file.
 - **features**:
@@ -36,13 +36,13 @@ Module to import MISP attributes from a csv file.
 
 -----
 
-#### [cuckooimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py)
+#### [Cuckoo Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py)
 
 <img src=../logos/cuckoo.png height=60>
 
 Module to import Cuckoo JSON.
 - **features**:
->The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.
+>Import a Cuckoo archive (zipfile or bzip2 tarball), either downloaded manually or exported from the API (/tasks/report/<task_id>/all).
 - **input**:
 >Cuckoo JSON file
 - **output**:
@@ -53,12 +53,16 @@ Module to import Cuckoo JSON.
 
 -----
 
-#### [email_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py)
+#### [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py)
 
-Module to import emails in MISP.
+Email import module for MISP
 - **features**:
 >This module can be used to import e-mail text as well as attachments and urls.
 >3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.
+- **config**:
+> - unzip_attachments
+> - guess_zip_attachment_passwords
+> - extract_urls
 - **input**:
 >E-mail file
 - **output**:
@@ -66,7 +70,7 @@ Module to import emails in MISP.
 
 -----
 
-#### [goamlimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py)
+#### [GoAML Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py)
 
 <img src=../logos/goAML.jpg height=60>
 
@@ -84,7 +88,15 @@ Module to import MISP objects about financial transactions from GoAML files.
 
 -----
 
-#### [joe_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py)
+#### [Import Blueprint](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py)
+
+Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
+- **features**:
+>
+
+-----
+
+#### [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py)
 
 <img src=../logos/joesandbox.png height=60>
 
@@ -103,7 +115,7 @@ A module to import data from a Joe Sandbox analysis json report.
 
 -----
 
-#### [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py)
+#### [Lastline Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py)
 
 <img src=../logos/lastline.png height=60>
 
@@ -114,6 +126,10 @@ Module to import and parse reports from Lastline analysis links.
 >The module requires a Lastline Portal `username` and `password`.
 >The module uses the new format and it is able to return MISP attributes and objects.
 >The module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) expansion module.
+- **config**:
+> - username
+> - password
+> - verify_ssl
 - **input**:
 >Link to a Lastline analysis.
 - **output**:
@@ -123,7 +139,7 @@ Module to import and parse reports from Lastline analysis links.
 
 -----
 
-#### [mispjson](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py)
+#### [MISP JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py)
 
 Module to import MISP JSON format for merging MISP events.
 - **features**:
@@ -135,7 +151,7 @@ Module to import MISP JSON format for merging MISP events.
 
 -----
 
-#### [ocr](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py)
+#### [OCR Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py)
 
 Optical Character Recognition (OCR) module for MISP.
 - **features**:
@@ -147,7 +163,7 @@ Optical Character Recognition (OCR) module for MISP.
 
 -----
 
-#### [openiocimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py)
+#### [OpenIOC Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py)
 
 Module to import OpenIOC packages.
 - **features**:
@@ -163,7 +179,17 @@ Module to import OpenIOC packages.
 
 -----
 
-#### [threatanalyzer_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py)
+#### [TAXII 2.1 Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py)
+
+Import content from a TAXII 2.1 server
+- **features**:
+>
+- **config**:
+>stix_object_limit
+
+-----
+
+#### [ThreadAnalyzer Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py)
 
 Module to import ThreatAnalyzer archive.zip / analysis.json files.
 - **features**:
@@ -178,7 +204,15 @@ Module to import ThreatAnalyzer archive.zip / analysis.json files.
 
 -----
 
-#### [vmray_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py)
+#### [URL Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py)
+
+Simple URL import tool with Faup
+- **features**:
+>
+
+-----
+
+#### [VMRay API Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py)
 
 <img src=../logos/vmray.png height=60>
 
@@ -186,6 +220,12 @@ Module to import VMRay (VTI) results.
 - **features**:
 >The module imports MISP Attributes from VMRay format, using the VMRay api.
 >Users should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.
+- **config**:
+> - apikey
+> - url
+> - disable_tags
+> - disable_misp_objects
+> - ignore_analysis_finished
 - **input**:
 >VMRay format
 - **output**:
@@ -196,3 +236,13 @@ Module to import VMRay (VTI) results.
 >vmray_rest_api
 
 -----
+
+#### [VMRay Summary JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py)
+
+Import a VMRay Summary JSON report.
+- **features**:
+>
+- **config**:
+>disable_tags
+
+-----
diff --git a/documentation/mkdocs/index.md b/documentation/mkdocs/index.md
index ecc41366..b48f6655 100644
--- a/documentation/mkdocs/index.md
+++ b/documentation/mkdocs/index.md
@@ -14,128 +14,160 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 
 ## Existing MISP modules
 
-### Expansion modules
-* [apiosintDS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) - a hover and expansion module to query the [OSINT.digitalside.it](https://osint.digitalside.it) API. [Documentation](https://apiosintds.readthedocs.io/en/latest/userguidemisp.html).
-* [API Void](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) - an expansion and hover module to query API Void with a domain attribute.
-* [AssemblyLine submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine.
-* [AssemblyLine query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report.
-* [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations.
-* [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
-* [RansomcoinDB check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) - An expansion hover module to query the [ransomcoinDB](https://ransomcoindb.concinnity-risks.com): it contains mapping between BTC addresses and malware hashes. Enrich MISP by querying for BTC -> hash or hash -> BTC addresses.
-* [BTC scam check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused.
-* [BTC transactions](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
-* [Censys-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) - An expansion and module to retrieve information from censys.io about a particular IP or certificate.
-* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
-* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificates seen.
-* [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
-* [CrowdSec](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py) - a hover module to expand using CrowdSec's CTI API.
-* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
-* [CPE](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities.
-* [CVE](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
-* [CVE advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
-* [Cuckoo submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
-* [Cytomic Orion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) - An expansion module to enrich attributes in MISP and share indicators of compromise with Cytomic Orion.
-* [DBL Spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) - a hover module to check Spamhaus DBL for a domain name.
-* [DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
-* [docx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser).
-* [DomainTools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
-* [EQL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/)
-* [EUPI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
-* [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
-* [GeoIP](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind.
-* [GeoIP_City](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) - a hover and expansion module to get GeoIP City information from geolite/maxmind.
-* [GeoIP_ASN](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) - a hover and expansion module to get GeoIP ASN information from geolite/maxmind.
-* [Google Threat Intelligence] (https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence.
-* [GreyNoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - a hover and expansion module to get IP and CVE information from GreyNoise.
-* [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset.
-* [Hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) - An expansion module to enrich a file hash with hashlookup.circl.lu services (NSRL and other sources)
-* [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned?
-* [html_to_markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) - Simple HTML to markdown converter
-* [HYAS Insight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) - a hover and expansion module to get information from [HYAS Insight](https://www.hyas.com/hyas-insight).
-* [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) - an expansion module to get info from [Intel471](https://intel471.com).
-* [IP2Location.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py) - an expansion module to get additional information on an IP address using the IP2Location.io API
-* [IPASN](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
-* [ipinfo.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py) - an expansion module to get additional information on an IP address using the ipinfo.io API
-* [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net.
-* [Joe Sandbox submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) - Submit files and URLs to Joe Sandbox.
-* [Joe Sandbox query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox with the link of an analysis and get the parsed data.
-* [Lastline submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) - Submit files and URLs to Lastline.
-* [Lastline query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) - Query Lastline with the link to an analysis and parse the report.
-* [macaddress.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
-* [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
-* [MALWAREbazaar](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) - an expansion module to query MALWAREbazaar with some payload.
-* [McAfee MVISION Insights](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py) - an expansion module enrich IOCs with McAfee MVISION Insights.
-* [Mmdb server lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) - an expansion module to enrich an ip with geolocation information from an mmdb server such as ip.circl.lu.
-* [ocr-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
-* [ods-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
-* [odt-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).
-* [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) - a modules to process queries on Onyphe.
-* [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) - a modules to process full queries on Onyphe.
-* [OTX](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) - an expansion module for [OTX](https://otx.alienvault.com/).
-* [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
-* [pdf-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) - an enrichment module to extract text from PDF into MISP (using free-text parser).
-* [pptx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).
-* [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.
-* [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) - a module to get RBL (Real-Time Blackhost List) values from an attribute.
-* [recordedfuture](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) - a hover and expansion module for enriching MISP attributes with threat intelligence from Recorded Future.
-* [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
-* [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) - an expansion module for [securitytrails](https://securitytrails.com/).
-* [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module.
-* [Sigma queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
-* [Sigma syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator.
-* [Socialscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) - a hover module to check if an email address or a username is used on different online platforms, using the [socialscan](https://github.com/iojw/socialscan) python library
-* [SophosLabs Intelix](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier available). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS)
-* [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
-* [stairwell](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py) - an expansion module to enrich hash observables with the Stairwell API
-* [STIX2 pattern syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax.
-* [ThreatCrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/).
-* [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/).
-* [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/).
-* [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
-* [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
-* [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) - an expansion module to query the [VARIoT db](https://www.variotdbs.pl) API to get more information about a Vulnerability
-* [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://docs.virustotal.com/reference/overview))
-* [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://docs.virustotal.com/reference/overview))
-* [VMray](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.
-* [VMware NSX](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) - a module to enrich a file or URL with VMware NSX Defender.
-* [VulnDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) - a module to query [VulnDB](https://www.riskbasedsecurity.com/).
-* [Vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) - an expansion module to expand information about CVEs using Vulners API.
-* [Vysion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py) - an expansion module to add dark web intelligence using Vysion API.
-* [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd).
-* [whoisfreaks](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py) - An expansion module for [whoisfreaks](https://whoisfreaks.com/) that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
-* [wikidata](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module.
-* [xforce](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module.
-* [xlsx-enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) - an enrichment module to get text out of an Excel document into MISP (using free-text parser).
-* [YARA query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) - a module to create YARA rules from single hash attributes.
-* [YARA syntax validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator.
+### Expansion Modules
+* [Abuse IPDB](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/abuseipdb.py) - AbuseIPDB MISP expansion module
+* [OSINT DigitalSide](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) - On demand query API for OSINT.digitalside.it project.
+* [APIVoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) - Module to query APIVoid with some domain attributes.
+* [AssemblyLine Query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) - A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.
+* [AssemblyLine Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) - A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.
+* [Backscatter.io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) - Backscatter.io module to bring mass-scanning observations into MISP.
+* [BGP Ranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) - Query BGP Ranking to get the ranking of an Autonomous System number.
+* [BTC Scam Check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.
+* [BTC Steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP.
+* [Censys Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) - An expansion module to enrich attributes in MISP by quering the censys.io API
+* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) - Module to access CIRCL Passive DNS.
+* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) - Modules to access CIRCL Passive SSL.
+* [ClaamAV](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/clamav.py) - Submit file to ClamAV
+* [Cluster25 Expand](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cluster25_expand.py) - Module to query Cluster25 CTI.
+* [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) - Module to expand country codes.
+* [CPE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
+* [CrowdSec CTI](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdsec.py) - Hover module to lookup an IP in CrowdSec's CTI
+* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) - Module to query CrowdStrike Falcon.
+* [Cuckoo Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) - Submit files and URLs to Cuckoo Sandbox
+* [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) - An expansion hover module to expand information about CVE id.
+* [CVE Advanced Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
+* [Cytomic Orion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) - An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
+* [DBL Spamhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) - Checks Spamhaus DBL for a domain name.
+* [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) - jj
+* [DOCX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) - Module to extract freetext from a .docx document.
+* [DomainTools Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) - DomainTools MISP expansion module.
+* [EQL Query Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) - EQL query generation for a MISP attribute.
+* [EUPI Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) - A module to query the Phishing Initiative service (https://phishing-initiative.lu).
+* [URL Components Extractor](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/extract_url_components.py) - Extract URL components
+* [Farsight DNSDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - Module to access Farsight DNSDB Passive DNS.
+* [GeoIP ASN Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) - Query a local copy of the Maxmind Geolite ASN database (MMDB format)
+* [GeoIP City Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) - An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.
+* [GeoIP Country Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - Query a local copy of Maxminds Geolite database, updated for MMDB format
+* [Google Safe Browsing Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_safe_browsing.py) - Google safe browsing expansion module
+* [Google Search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py) - An expansion hover module to expand google search information about an URL
+* [Google Threat Intelligence Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence.
+* [GreyNoise Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - Module to query IP and CVE information from GreyNoise
+* [Hashdd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - A hover module to check hashes against hashdd.com including NSLR dataset.
+* [CIRCL Hashlookup Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) - An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.
+* [Have I Been Pwned Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - Module to access haveibeenpwned.com API.
+* [HTML to Markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) - Expansion module to fetch the html content from an url and convert it into markdown.
+* [HYAS Insight Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) - HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
+* [Intel471 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) - Module to access Intel 471
+* [IP2Location.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ip2locationio.py) - An expansion module to query IP2Location.io to gather more information on a given IP address.
+* [IPASN-History Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) - Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
+* [IPInfo.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipinfo.py) - An expansion module to query ipinfo.io to gather more information on a given IP address.
+* [IPQualityScore Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py) - IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.
+* [IPRep Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) - Module to query IPRep data for IP addresses.
+* [Ninja Template Rendering](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/jinja_template_rendering.py) - Render the template with the data passed
+* [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
+* [Joe Sandbox Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) - A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission.
+* [Lastline Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-### Export modules
+Query Lastline with an analysis link and parse the report into MISP attributes and objects.
+* [Lastline Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
-* [CEF](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) - module to export Common Event Format (CEF).
-* [Cisco FireSight Manager ACL rule](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) - module to export as rule for the Cisco FireSight manager ACL.
-* [GoAML export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) - module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html).
-* [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) - module to export a lite event.
-* [PDF export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) - module to export an event in PDF.
-* [Mass EQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) - module to export applicable attributes from an event to a mass EQL query.
-* [Nexthink query format](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) - module to export in Nexthink query format.
-* [osquery](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) - module to export in [osquery](https://osquery.io/) query format.
-* [ThreatConnect](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) - module to export in ThreatConnect CSV format.
-* [ThreatStream](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) - module to export in ThreatStream format.
-* [VirusTotal Graph](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) - Module to create a VirusTotal graph out of an event.
+Module to submit a file or URL to Lastline.
+* [Macaddress.io Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) - MISP hover module for macaddress.io
+* [Macvendors Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) - Module to access Macvendors API.
+* [Malware Bazaar Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) - Query Malware Bazaar to get additional information about the input hash.
+* [McAfee MVISION Insights Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mcafee_insights_enrich.py) - Lookup McAfee MVISION Insights Details
+* [GeoIP Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) - A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.
+* [MWDB Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py) - Module to push malware samples to a MWDB instance
+* [OCR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) - Module to process some optical character recognition on pictures.
+* [ODS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) - Module to extract freetext from a .ods document.
+* [ODT Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) - Module to extract freetext from a .odt document.
+* [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) - Module to process a query on Onyphe.
+* [Onyphe Full Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) - Module to process a full query on Onyphe.
+* [AlienVault OTX Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) - Module to get information from AlienVault OTX.
+* [Passive SSH Enrichment](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passive_ssh.py) - An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh
+* [PassiveTotal Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) - The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register
+* [PDF Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) - Module to extract freetext from a PDF document.
+* [PPTX Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) - Module to extract freetext from a .pptx document.
+* [Qintel QSentry Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py) - A hover and expansion module which queries Qintel QSentry for ip reputation data
+* [QR Code Decode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) - Module to decode QR codes.
+* [RandomcoinDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
+* [Real-time Blackhost Lists Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) - Module to check an IPv4 address against known RBLs.
+* [Recorded Future Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) - Module to enrich attributes with threat intelligence from Recorded Future.
+* [Reverse DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
+* [SecurityTrails Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) - An expansion modules for SecurityTrails.
+* [Shodan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) - Module to query on Shodan.
+* [Sigma Rule Converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) - An expansion hover module to display the result of sigma queries.
+* [Sigma Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) - An expansion hover module to perform a syntax check on sigma rules.
+* [SigMF Expansion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigmf_expand.py) - Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.
+* [Socialscan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) - A hover module to get information on the availability of an email address or username on some online platforms.
+* [SophosLabs Intelix Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) - An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.
+* [URL Archiver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) - Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.
+* [Stairwell Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stairwell.py) - Module to query the Stairwell API to get additional information about the input hash attribute
+* [STIX2 Pattern Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - An expansion hover module to perform a syntax check on stix2 patterns.
+* [ThreatCrowd Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) - Module to get information from ThreatCrowd.
+* [ThreadFox Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatfox.py) - Module to search for an IOC on ThreatFox by abuse.ch.
+* [ThreatMiner Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) - Module to get information from ThreatMiner.
+* [TruSTAR Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) - Module to get enrich indicators with TruSTAR.
+* [URLhaus Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) - Query of the URLhaus API to get additional information about the input attribute.
+* [URLScan Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) - An expansion module to query urlscan.io.
+* [VARIoT db Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) - An expansion module to query the VARIoT db API for more information about a vulnerability.
+* [VirusTotal v3 Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) - Enrich observables with the VirusTotal v3 API
+* [VirusTotal Public API Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) - Enrich observables with the VirusTotal v3 public API
+* [VMRay Submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) - Module to submit a sample to VMRay.
+* [VMware NSX Defender Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) - Module to enrich a file or URL with VMware NSX Defender.
+* [VulnDB Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) - Module to query VulnDB (RiskBasedSecurity.com).
+* [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py) - An expansion module to query Vulnerability Lookup
+* [Vulners Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) - An expansion hover module to expand information about CVE id using Vulners API.
+* [Vysion Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vysion.py) - Module to enrich the information by making use of the Vysion API.
+* [Whois Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) - Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
+* [WhoisFreaks Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whoisfreaks.py) - An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
+* [Wikidata Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) - An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.
+* [IBM X-Force Exchange Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) - An expansion module for IBM X-Force Exchange.
+* [XLXS Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) - Module to extract freetext from a .xlsx document.
+* [YARA Rule Generator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) - jj
+* [YARA Syntax Validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
+* [Yeti Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py) - Module to process a query on Yeti.
 
-### Import modules
+### Export Modules
+* [CEF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) - Module to export a MISP event in CEF format.
+* [Cisco fireSIGHT blockrule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) - Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
+* [Microsoft Defender for Endpoint KQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py) - Defender for Endpoint KQL hunting query export module
+* [GoAML Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) - This module is used to export MISP events containing transaction objects into GoAML format.
+* [Lite Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) - Lite export of a MISP event.
+* [EQL Query Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) - Export MISP event in Event Query Language
+* [Nexthink NXQL Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) - Nexthink NXQL query export module
+* [OSQuery Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) - OSQuery export of a MISP event.
+* [Event to PDF Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) - Simple export of a MISP event to PDF.
+* [ThreatStream Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) - Module to export a structured CSV file for uploading to threatStream.
+* [ThreadConnect Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) - Module to export a structured CSV file for uploading to ThreatConnect.
+* [VirusTotal Collections Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py) - Creates a VT Collection from an event iocs.
+* [VirusTotal Graph Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) - This module is used to create a VirusTotal Graph from a MISP event.
+* [YARA Rule Export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/yara_export.py) - This module is used to export MISP events to YARA.
 
-* [CSV import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) - Customizable CSV import module.
-* [Cuckoo JSON](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) - Cuckoo JSON import.
-* [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) - Email import module for MISP to import basic metadata.
-* [GoAML import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) - Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
-* [Joe Sandbox import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) - Parse data from a Joe Sandbox json report.
-* [Lastline import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) - Module to import Lastline analysis reports.
-* [OCR](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) - Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
-* [OpenIOC](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) - OpenIOC import based on PyMISP library.
-* [ThreatAnalyzer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
-* [VMRay](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
+### Import Modules
+* [PDNS COF Importer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py) - Passive DNS Common Output Format (COF) MISP importer
+* [CSV Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) - Module to import MISP attributes from a csv file.
+* [Cuckoo Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) - Module to import Cuckoo JSON.
+* [Email Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) - Email import module for MISP
+* [GoAML Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) - Module to import MISP objects about financial transactions from GoAML files.
+* [Import Blueprint](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py) - Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
+* [Joe Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) - A module to import data from a Joe Sandbox analysis json report.
+* [Lastline Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
 
+Module to import and parse reports from Lastline analysis links.
+* [MISP JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py) - Module to import MISP JSON format for merging MISP events.
+* [OCR Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) - Optical Character Recognition (OCR) module for MISP.
+* [OpenIOC Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) - Module to import OpenIOC packages.
+* [TAXII 2.1 Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py) - Import content from a TAXII 2.1 server
+* [ThreadAnalyzer Sandbox Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) - Module to import ThreatAnalyzer archive.zip / analysis.json files.
+* [URL Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py) - Simple URL import tool with Faup
+* [VMRay API Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) - Module to import VMRay (VTI) results.
+* [VMRay Summary JSON Import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py) - Import a VMRay Summary JSON report.
+
+### Action Modules
+* [Mattermost](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/mattermost.py) - Simplistic module to send message to a Mattermost channel.
+* [Slack](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/slack.py) - Simplistic module to send messages to a Slack channel.
+* [Test action](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/action_mod/testaction.py) - This module is merely a test, always returning true. Triggers on event publishing.
 
 
 ## How to contribute your own module?
diff --git a/documentation/mkdocs/install.md b/documentation/mkdocs/install.md
index 1cb7cb88..1e72666d 100644
--- a/documentation/mkdocs/install.md
+++ b/documentation/mkdocs/install.md
@@ -1,4 +1,6 @@
-## How to install and start MISP modules (in a Python virtualenv)?
+## How to install and start MISP modules (in a Python virtualenv)? (recommended)
+
+***Be sure to run the latest version of `pip`***. To install the latest version of pip, `pip install --upgrade pip` will do the job.
 
 ~~~~bash
 SUDO_WWW="sudo -u www-data"
diff --git a/documentation/website/expansion/apiosintds.json b/documentation/website/expansion/apiosintds.json
deleted file mode 100644
index 8bdaf395..00000000
--- a/documentation/website/expansion/apiosintds.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "On demand query API for OSINT.digitalside.it project.",
-    "requirements": [
-        "The apiosintDS python library to query the OSINT.digitalside.it API."
-    ],
-    "input": "A domain, ip, url or hash attribute.",
-    "output": "Hashes and urls resulting from the query to OSINT.digitalside.it",
-    "references": [
-        "https://osint.digitalside.it/#About"
-    ],
-    "features": "The module simply queries the API of OSINT.digitalside.it with a domain, ip, url or hash attribute.\n\nThe result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.\n\nFurthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it"
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/apivoid.json b/documentation/website/expansion/apivoid.json
deleted file mode 100644
index 5962f578..00000000
--- a/documentation/website/expansion/apivoid.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to query APIVoid with some domain attributes.",
-    "logo": "apivoid.png",
-    "requirements": [
-        "A valid APIVoid API key with enough credits to proceed 2 queries"
-    ],
-    "input": "A domain attribute.",
-    "output": "DNS records and SSL certificates related to the domain.",
-    "features": "This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.\n\nTo make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.",
-    "references": [
-        "https://www.apivoid.com/"
-    ]
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/assemblyline_query.json b/documentation/website/expansion/assemblyline_query.json
deleted file mode 100644
index a0b38359..00000000
--- a/documentation/website/expansion/assemblyline_query.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.",
-    "logo": "assemblyline.png",
-    "requirements": [
-        "assemblyline_client: Python library to query the AssemblyLine rest API."
-    ],
-    "input": "Link of an AssemblyLine submission report.",
-    "output": "MISP attributes & objects parsed from the AssemblyLine submission.",
-    "references": [
-        "https://www.cyber.gc.ca/en/assemblyline"
-    ],
-    "features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.\n\nThe submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.\n\nSome more data may be parsed in the future."
-}
diff --git a/documentation/website/expansion/assemblyline_submit.json b/documentation/website/expansion/assemblyline_submit.json
deleted file mode 100644
index 8f147ca5..00000000
--- a/documentation/website/expansion/assemblyline_submit.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.",
-    "logo": "assemblyline.png",
-    "requirements": [
-        "assemblyline_client: Python library to query the AssemblyLine rest API."
-    ],
-    "input": "Sample, or url to submit to AssemblyLine.",
-    "output": "Link of the report generated in AssemblyLine.",
-    "references": [
-        "https://www.cyber.gc.ca/en/assemblyline"
-    ],
-    "features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/backscatter_io.json b/documentation/website/expansion/backscatter_io.json
deleted file mode 100644
index 146e41c2..00000000
--- a/documentation/website/expansion/backscatter_io.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Query backscatter.io (https://backscatter.io/).",
-    "requirements": [
-        "backscatter python library"
-    ],
-    "features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.",
-    "logo": "backscatter_io.png",
-    "references": [
-        "https://pypi.org/project/backscatter/"
-    ],
-    "input": "IP addresses.",
-    "output": "Text containing a history of the IP addresses especially on scanning based on backscatter.io information ."
-}
diff --git a/documentation/website/expansion/bgpranking.json b/documentation/website/expansion/bgpranking.json
deleted file mode 100644
index 5b0383e5..00000000
--- a/documentation/website/expansion/bgpranking.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Query BGP Ranking (https://bgpranking-ng.circl.lu/).",
-    "requirements": [
-        "pybgpranking python library"
-    ],
-    "features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.",
-    "references": [
-        "https://github.com/D4-project/BGP-Ranking/"
-    ],
-    "input": "Autonomous system number.",
-    "output": "An asn object with its related bgp-ranking object."
-}
diff --git a/documentation/website/expansion/btc_scam_check.json b/documentation/website/expansion/btc_scam_check.json
deleted file mode 100644
index 01fe8ff4..00000000
--- a/documentation/website/expansion/btc_scam_check.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.",
-    "requirements": [
-        "dnspython3: dns python library"
-    ],
-    "features": "The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.",
-    "logo": "bitcoin.png",
-    "input": "btc address attribute.",
-    "output": "Text to indicate if the BTC address has been abused.",
-    "references": [
-        "https://btcblack.it/"
-    ]
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/btc_steroids.json b/documentation/website/expansion/btc_steroids.json
deleted file mode 100644
index b365d44c..00000000
--- a/documentation/website/expansion/btc_steroids.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-    "description": "An expansion hover module to get a blockchain balance from a BTC address in MISP.",
-    "logo": "bitcoin.png",
-    "input": "btc address attribute.",
-    "output": "Text to describe the blockchain balance and the transactions related to the btc address in input."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/censys_enrich.json b/documentation/website/expansion/censys_enrich.json
deleted file mode 100644
index 9f3a6f0f..00000000
--- a/documentation/website/expansion/censys_enrich.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "An expansion module to enrich attributes in MISP by quering the censys.io API",
-    "requirements": [
-        "API credentials to censys.io"
-    ],
-    "input": "IP, domain or certificate fingerprint (md5, sha1 or sha256)",
-    "output": "MISP objects retrieved from censys, including open ports, ASN, Location of the IP, x509 details",
-    "references": [
-        "https://www.censys.io"
-    ],
-    "features": "This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/circl_passivedns.json b/documentation/website/expansion/circl_passivedns.json
deleted file mode 100644
index b50136b3..00000000
--- a/documentation/website/expansion/circl_passivedns.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "Module to access CIRCL Passive DNS.",
-    "logo": "passivedns.png",
-    "requirements": [
-        "pypdns: Passive DNS python library",
-        "A CIRCL passive DNS account with username & password"
-    ],
-    "input": "Hostname, domain, or ip-address attribute.",
-    "ouput": "Passive DNS objects related to the input attribute.",
-    "features": "This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects.\n\nTo make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API.",
-    "references": [
-        "https://www.circl.lu/services/passive-dns/",
-        "https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/"
-    ]
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/circl_passivessl.json b/documentation/website/expansion/circl_passivessl.json
deleted file mode 100644
index 4010297a..00000000
--- a/documentation/website/expansion/circl_passivessl.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Modules to access CIRCL Passive SSL.",
-    "logo": "passivessl.png",
-    "requirements": [
-        "pypssl: Passive SSL python library",
-        "A CIRCL passive SSL account with username & password"
-    ],
-    "input": "IP address attribute.",
-    "output": "x509 certificate objects seen by the IP address(es).",
-    "features": "This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects.\n\nTo make it work a username and a password are required to authenticate to the CIRCL Passive SSL API.",
-    "references": [
-        "https://www.circl.lu/services/passive-ssl/"
-    ]
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/cluster25_expand.json b/documentation/website/expansion/cluster25_expand.json
deleted file mode 100644
index d41c2125..00000000
--- a/documentation/website/expansion/cluster25_expand.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Module to query Cluster25 CTI.",
-    "logo": "cluster25.png",
-    "requirements": [
-        "A Cluster25 API access (API id & key)"
-    ],
-    "input": "An Indicator value of type included in the following list:\n- domain\n- email-src\n- email-dst\n- filename\n- md5\n- sha1\n- sha256\n- ip-src\n- ip-dst\n- url\n- vulnerability\n- btc\n- xmr\n ja3-fingerprint-md5",
-    "output": "A series of c25 MISP Objects with colletion of attributes mapped from Cluster25 CTI query result.",
-    "references": [
-        ""
-    ],
-    "features": "This module takes a MISP attribute value as input to query the Cluster25CTI API. The result is then mapped into compatible MISP Objects and relative attributes.\n"
-}
-
diff --git a/documentation/website/expansion/countrycode.json b/documentation/website/expansion/countrycode.json
deleted file mode 100644
index 110bdf78..00000000
--- a/documentation/website/expansion/countrycode.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-    "description": "Module to expand country codes.",
-    "input": "Hostname or domain attribute.",
-    "output": "Text with the country code the input belongs to.",
-    "features": "The module takes a domain or a hostname as input, and returns the country it belongs to.\n\nFor non country domains, a list of the most common possible extensions is used."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/cpe.json b/documentation/website/expansion/cpe.json
deleted file mode 100644
index 43f37a09..00000000
--- a/documentation/website/expansion/cpe.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.",
-    "logo": "cve.png",
-    "input": "CPE attribute.",
-    "output": "The vulnerabilities related to the CPE.",
-    "references": [
-        "https://vulnerability.circl.lu/api/"
-    ],
-    "features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.  \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/crowdsec.json b/documentation/website/expansion/crowdsec.json
deleted file mode 100644
index 750caae1..00000000
--- a/documentation/website/expansion/crowdsec.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "Hover module to lookup an IP in CrowdSec's CTI",
-    "logo": "crowdsec.png",
-    "requirements": [
-        "A CrowdSec CTI API key. Get yours by following https://docs.crowdsec.net/docs/cti_api/getting_started/#getting-an-api-key"
-    ],
-    "input": "An IP address.",
-    "output": "IP Lookup information from CrowdSec CTI API",
-    "references": [
-        "https://www.crowdsec.net/",
-        "https://docs.crowdsec.net/docs/cti_api/getting_started",
-        "https://app.crowdsec.net/"
-    ],
-    "features": "This module enables IP lookup from CrowdSec CTI API. It provides information about the IP, such as what kind of attacks it has been participant of as seen by CrowdSec's network. It also includes enrichment by CrowdSec like background noise score, aggressivity over time etc."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/crowdstrike_falcon.json b/documentation/website/expansion/crowdstrike_falcon.json
deleted file mode 100644
index a2408b91..00000000
--- a/documentation/website/expansion/crowdstrike_falcon.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to query Crowdstrike Falcon.",
-    "logo": "crowdstrike.png",
-    "requirements": [
-        "A CrowdStrike API access (API id & key)"
-    ],
-    "input": "A MISP attribute included in the following list:\n- domain\n- email-attachment\n- email-dst\n- email-reply-to\n- email-src\n- email-subject\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- mutex\n- regkey\n- sha1\n- sha256\n- uri\n- url\n- user-agent\n- whois-registrant-email\n- x509-fingerprint-md5",
-    "output": "MISP attributes mapped after the CrowdStrike API has been queried, included in the following list:\n- hostname\n- email-src\n- email-subject\n- filename\n- md5\n- sha1\n- sha256\n- ip-dst\n- ip-dst\n- mutex\n- regkey\n- url\n- user-agent\n- x509-fingerprint-md5",
-    "references": [
-        "https://www.crowdstrike.com/products/crowdstrike-falcon-faq/"
-    ],
-    "features": "This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/cuckoo_submit.json b/documentation/website/expansion/cuckoo_submit.json
deleted file mode 100644
index 5c232184..00000000
--- a/documentation/website/expansion/cuckoo_submit.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion module to submit files and URLs to Cuckoo Sandbox.",
-    "logo": "cuckoo.png",
-    "requirements": [
-        "Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)"
-    ],
-    "input": "A malware-sample or attachment for files. A url or domain for URLs.",
-    "output": "A text field containing 'Cuckoo task id: <id>'",
-    "references": [
-        "https://cuckoosandbox.org/",
-        "https://cuckoo.sh/docs/"
-    ],
-    "features": "The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.\n The returned task id can be used to retrieve results when the analysis completed."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/cve.json b/documentation/website/expansion/cve.json
deleted file mode 100644
index 6121ba4c..00000000
--- a/documentation/website/expansion/cve.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "An expansion hover module to expand information about CVE id.",
-    "logo": "cve.png",
-    "input": "Vulnerability attribute.",
-    "output": "Text giving information about the CVE related to the Vulnerability.",
-    "references": [
-        "https://vulnerability.circl.lu/",
-        "https://cve.mitre.org/"
-    ],
-    "features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/cve_advanced.json b/documentation/website/expansion/cve_advanced.json
deleted file mode 100644
index 2ecce7b2..00000000
--- a/documentation/website/expansion/cve_advanced.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).",
-    "logo": "cve.png",
-    "input": "Vulnerability attribute.",
-    "output": "Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.",
-    "references": [
-        "https://vulnerability.circl.lu",
-        "https://cve/mitre.org/"
-    ],
-    "features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/cytomic_orion.json b/documentation/website/expansion/cytomic_orion.json
deleted file mode 100644
index 8623670e..00000000
--- a/documentation/website/expansion/cytomic_orion.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion module to enrich attributes in MISP by quering the Cytomic Orion API",
-    "logo": "cytomic_orion.png",
-    "requirements": [
-        "Access (license) to Cytomic Orion"
-    ],
-    "input": "MD5, hash of the sample / malware to search for.",
-    "output": "MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines.",
-    "references": [
-        "https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/",
-        "https://www.cytomicmodel.com/solutions/"
-    ],
-    "features": "This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/dbl_spamhaus.json b/documentation/website/expansion/dbl_spamhaus.json
deleted file mode 100644
index 6a33c8e8..00000000
--- a/documentation/website/expansion/dbl_spamhaus.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to check Spamhaus DBL for a domain name.",
-    "logo": "spamhaus.jpg",
-    "requirements": [
-        "dnspython3: DNS python3 library"
-    ],
-    "input": "Domain or hostname attribute.",
-    "output": "Information about the nature of the input.",
-    "references": [
-        "https://www.spamhaus.org/faq/section/Spamhaus%20DBL"
-    ],
-    "features": "This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is.\n\nDBL then returns a response code corresponding to a certain classification of the domain we display. If the queried domain is not in the list, it is also mentionned.\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/dns.json b/documentation/website/expansion/dns.json
deleted file mode 100644
index a0fb4ddb..00000000
--- a/documentation/website/expansion/dns.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "description": "A simple DNS expansion service to resolve IP address from domain MISP attributes.",
-    "requirements": [
-        "dnspython3: DNS python3 library"
-    ],
-    "input": "Domain or hostname attribute.",
-    "output": "IP address resolving the input.",
-    "features": "The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/docx_enrich.json b/documentation/website/expansion/docx_enrich.json
deleted file mode 100644
index 55bd9554..00000000
--- a/documentation/website/expansion/docx_enrich.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to extract freetext from a .docx document.",
-    "logo": "docx.png",
-    "requirements": [
-        "docx python library"
-    ],
-    "input": "Attachment attribute containing a .docx document.",
-    "output": "Text and freetext parsed from the document.",
-    "references": [],
-    "features": "The module reads the text contained in a .docx document. The result is passed to the freetext import parser so IoCs can be extracted out of it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/domaintools.json b/documentation/website/expansion/domaintools.json
deleted file mode 100644
index 99c916b6..00000000
--- a/documentation/website/expansion/domaintools.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "DomainTools MISP expansion module.",
-    "logo": "domaintools.png",
-    "requirements": [
-        "Domaintools python library",
-        "A Domaintools API access (username & apikey)"
-    ],
-    "input": "A MISP attribute included in the following list:\n- domain\n- hostname\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- whois-registrant-phone\n- ip-src\n- ip-dst",
-    "output": "MISP attributes mapped after the Domaintools API has been queried, included in the following list:\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- text\n- domain",
-    "references": [
-        "https://www.domaintools.com/"
-    ],
-    "features": "This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/eql.json b/documentation/website/expansion/eql.json
deleted file mode 100644
index 4af9df41..00000000
--- a/documentation/website/expansion/eql.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "EQL query generation for a MISP attribute.",
-    "logo": "eql.png",
-    "requirements": [],
-    "input": "A filename or ip attribute.",
-    "output": "Attribute containing EQL for a network or file attribute.",
-    "references": [
-        "https://eql.readthedocs.io/en/latest/"
-    ],
-    "features": "This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/eupi.json b/documentation/website/expansion/eupi.json
deleted file mode 100644
index 07eb59ea..00000000
--- a/documentation/website/expansion/eupi.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "A module to query the Phishing Initiative service (https://phishing-initiative.lu).",
-    "logo": "eupi.png",
-    "requirements": [
-        "pyeupi: eupi python library",
-        "An access to the Phishing Initiative API (apikey & url)"
-    ],
-    "input": "A domain, hostname or url MISP attribute.",
-    "output": "Text containing information about the input, resulting from the query on Phishing Initiative.",
-    "references": [
-        "https://phishing-initiative.eu/?lang=en"
-    ],
-    "features": "This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried.\n\nPlease note that composite attributes containing domain or hostname are also supported."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/farsight_passivedns.json b/documentation/website/expansion/farsight_passivedns.json
deleted file mode 100644
index 93183ce2..00000000
--- a/documentation/website/expansion/farsight_passivedns.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Module to access Farsight DNSDB Passive DNS.",
-    "logo": "farsight.png",
-    "requirements": [
-        "An access to the Farsight Passive DNS API (apikey)"
-    ],
-    "input": "A domain, hostname or IP address MISP attribute.",
-    "output": "Passive-dns objects, resulting from the query on the Farsight Passive DNS API.",
-    "references": [
-        "https://www.farsightsecurity.com/",
-        "https://docs.dnsdb.info/dnsdb-api/"
-    ],
-    "features": "This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API.\n  The results of rdata and rrset lookups are then returned and parsed into passive-dns objects.\n\nAn API key is required to submit queries to the API.\n  It is also possible to define a custom server URL, and to set a limit of results to get.\n  This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit)."
-}
diff --git a/documentation/website/expansion/geoip_asn.json b/documentation/website/expansion/geoip_asn.json
deleted file mode 100644
index 9a7b1ddf..00000000
--- a/documentation/website/expansion/geoip_asn.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "descrption": "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.",
-    "logo": "maxmind.png",
-    "requirements": [
-        "A local copy of Maxmind's Geolite database"
-    ],
-    "input": "An IP address MISP attribute.",
-    "output": "Text containing information about the AS number of the IP address.",
-    "references": [
-        "https://www.maxmind.com/en/home"
-    ],
-    "features": "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/geoip_city.json b/documentation/website/expansion/geoip_city.json
deleted file mode 100644
index 24d286b4..00000000
--- a/documentation/website/expansion/geoip_city.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.",
-    "logo": "maxmind.png",
-    "requirements": [
-        "A local copy of Maxmind's Geolite database"
-    ],
-    "input": "An IP address MISP attribute.",
-    "output": "Text containing information about the city where the IP address is located.",
-    "references": [
-        "https://www.maxmind.com/en/home"
-    ],
-    "features": "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/geoip_country.json b/documentation/website/expansion/geoip_country.json
deleted file mode 100644
index ec842824..00000000
--- a/documentation/website/expansion/geoip_country.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to query a local copy of Maxmind's Geolite database.",
-    "logo": "maxmind.png",
-    "requirements": [
-        "A local copy of Maxmind's Geolite database"
-    ],
-    "input": "An IP address MISP Attribute.",
-    "output": "Text containing information about the location of the IP address.",
-    "references": [
-        "https://www.maxmind.com/en/home"
-    ],
-    "features": "This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address.\n\nPlease note that composite attributes domain|ip are also supported."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/google_search.json b/documentation/website/expansion/google_search.json
deleted file mode 100644
index 8772d21a..00000000
--- a/documentation/website/expansion/google_search.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "descrption": "A hover module to get information about an url using a Google search.",
-    "logo": "google.png",
-    "requirements": [
-        "The python Google Search API library"
-    ],
-    "input": "An url attribute.",
-    "output": "Text containing the result of a Google search on the input url.",
-    "references": [
-        "https://github.com/abenassi/Google-Search-API"
-    ],
-    "features": "The module takes an url as input to query the Google search API. The result of the query is then return as raw text."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/google_threat_intelligence.json b/documentation/website/expansion/google_threat_intelligence.json
deleted file mode 100644
index 8db8005e..00000000
--- a/documentation/website/expansion/google_threat_intelligence.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion module to have the observable's threat score assessed by Google Threat Intelligence.",
-    "logo": "google_threat_intelligence.png",
-    "requirements": [
-        "An access to the Google Threat Intelligence API (apikey), with a high request rate limit."
-    ],
-    "input": "A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.",
-    "output": "Text fields containing the threat score, the severity, the verdict and the threat label of the observable inspected.",
-    "references": [
-        "https://www.virustotal.com/",
-        "https://gtidocs.virustotal.com/reference"
-    ],
-    "features": "GTI assessment for the given observable, this include information about level of severity, a clear verdict (malicious, suspicious, undetected and benign) and additional information provided by the Mandiant expertise combined with the VirusTotal database.\n\n[Output example screeshot](https://github.com/MISP/MISP/assets/4747608/e275db2f-bb1e-4413-8cc0-ec3cb05e0414)"
-}
diff --git a/documentation/website/expansion/greynoise.json b/documentation/website/expansion/greynoise.json
deleted file mode 100644
index 49885371..00000000
--- a/documentation/website/expansion/greynoise.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "Module to query IP and CVE information from GreyNoise",
-    "logo": "greynoise.png",
-    "requirements": [
-        "A Greynoise API key. Both Enterprise (Paid) and Community (Free) API keys are supported, however Community API users will only be able to perform IP lookups."
-    ],
-    "input": "An IP address or CVE ID",
-    "output": "IP Lookup information or CVE scanning profile for past 7 days",
-    "references": [
-        "https://greynoise.io/",
-        "https://docs.greyniose.io/",
-        "https://www.greynoise.io/viz/account/"
-    ],
-    "features": "This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/hashdd.json b/documentation/website/expansion/hashdd.json
deleted file mode 100644
index 2edc1d17..00000000
--- a/documentation/website/expansion/hashdd.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "description": "A hover module to check hashes against hashdd.com including NSLR dataset.",
-    "input": "A hash MISP attribute (md5).",
-    "output": "Text describing the known level of the hash in the hashdd databases.",
-    "references": [
-        "https://hashdd.com/"
-    ],
-    "features": "This module takes a hash attribute as input to check its known level, using the hashdd API. This information is then displayed."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/hashlookup.json b/documentation/website/expansion/hashlookup.json
deleted file mode 100644
index 713be839..00000000
--- a/documentation/website/expansion/hashlookup.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.",
-    "logo": "circl.png",
-    "input": "File hashes (MD5, SHA1)",
-    "output": "Object with the filename associated hashes if the hash is part of a known set.",
-    "references": [
-        "https://www.circl.lu/services/hashlookup/"
-    ],
-    "features": "The module takes file hashes as input such as a MD5 or SHA1.\n It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.\n The module can be used an hover module but also an expansion model to add related MISP objects.\n"
-}
diff --git a/documentation/website/expansion/hibp.json b/documentation/website/expansion/hibp.json
deleted file mode 100644
index a2b7b09c..00000000
--- a/documentation/website/expansion/hibp.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to access haveibeenpwned.com API.",
-    "logo": "hibp.png",
-    "requirements": [],
-    "input": "An email address",
-    "output": "Additional information about the email address.",
-    "references": [
-        "https://haveibeenpwned.com/"
-    ],
-    "features": "The module takes an email address as input and queries haveibeenpwned.com API to find additional information about it. This additional information actually tells if any account using the email address has already been compromised in a data breach."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/html_to_markdown.json b/documentation/website/expansion/html_to_markdown.json
deleted file mode 100644
index 08644317..00000000
--- a/documentation/website/expansion/html_to_markdown.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "description": "Expansion module to fetch the html content from an url and convert it into markdown.",
-    "input": "URL attribute.",
-    "output": "Markdown content converted from the HTML fetched from the url.",
-    "requirements": [
-        "The markdownify python library"
-    ],
-    "features": "The module take an URL as input and the HTML content is fetched from it. This content is then converted into markdown that is returned as text."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/hyasinsight.json b/documentation/website/expansion/hyasinsight.json
deleted file mode 100644
index 2762a087..00000000
--- a/documentation/website/expansion/hyasinsight.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.",
-    "logo": "hyas.png",
-    "requirements": [
-        "A HYAS Insight API Key."
-    ],
-    "input": "A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)",
-    "output": "Hyas Insight objects, resulting from the query on the HYAS Insight API.",
-    "references": [
-        "https://www.hyas.com/hyas-insight/"
-    ],
-    "features": "This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.\n The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. \n\nAn API key is required to submit queries to the HYAS Insight API.\n"
-}
diff --git a/documentation/website/expansion/intel471.json b/documentation/website/expansion/intel471.json
deleted file mode 100644
index 89352767..00000000
--- a/documentation/website/expansion/intel471.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "descrption": "An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.",
-    "logo": "intel471.png",
-    "requirements": [
-        "The intel471 python library"
-    ],
-    "input": "A MISP attribute whose type is included in the following list:\n- hostname\n- domain\n- url\n- ip-src\n- ip-dst\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- md5\n- sha1\n- sha256",
-    "output": "Freetext",
-    "references": [
-        "https://public.intel471.com/"
-    ],
-    "features": "The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/intelmq_eventdb.json b/documentation/website/expansion/intelmq_eventdb.json
deleted file mode 100644
index ce2b12a5..00000000
--- a/documentation/website/expansion/intelmq_eventdb.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "Module to access intelmqs eventdb.",
-    "logo": "intelmq.png",
-    "requirements": [
-        "psycopg2: Python library to support PostgreSQL",
-        "An access to the IntelMQ database (username, password, hostname and database reference)"
-    ],
-    "input": "A hostname, domain, IP address or AS attribute.",
-    "output": "Text giving information about the input using IntelMQ database.",
-    "references": [
-        "https://github.com/certtools/intelmq",
-        "https://intelmq.readthedocs.io/en/latest/Developers-Guide/"
-    ],
-    "features": "/!\\ EXPERIMENTAL MODULE, some features may not work /!\\\n\nThis module takes a domain, hostname, IP address or Autonomous system MISP attribute as input to query the IntelMQ database. The result of the query gives then additional information about the input."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/ip2locationio.json b/documentation/website/expansion/ip2locationio.json
deleted file mode 100644
index 71de5455..00000000
--- a/documentation/website/expansion/ip2locationio.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module to query IP2Location.io to gather more information on a given IP address.",
-    "logo": "ip2locationio.png",
-    "requirements": [
-        "An IP2Location.io token"
-    ],
-    "input": "IP address attribute.",
-    "output": "Additional information on the IP address, such as geolocation, proxy and so on. Refer to the Response Format section in https://www.ip2location.io/ip2location-documentation to find out the full format of the data returned.",
-    "references": [
-        "https://www.ip2location.io/ip2location-documentation"
-    ],
-    "features": "The module takes an IP address attribute as input and queries the IP2Location.io API.  \nFree plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address. \n Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan. \n\nMore information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation)."
-}
diff --git a/documentation/website/expansion/ipasn.json b/documentation/website/expansion/ipasn.json
deleted file mode 100644
index 5f30608a..00000000
--- a/documentation/website/expansion/ipasn.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).",
-    "requirements": [
-        "pyipasnhistory: Python library to access IPASN-history instance"
-    ],
-    "input": "An IP address MISP attribute.",
-    "output": "Asn object(s) objects related to the IP address used as input.",
-    "references": [
-        "https://github.com/D4-project/IPASN-History"
-    ],
-    "features": "This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/ipinfo.json b/documentation/website/expansion/ipinfo.json
deleted file mode 100644
index 070b7a8d..00000000
--- a/documentation/website/expansion/ipinfo.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module to query ipinfo.io to gather more information on a given IP address.",
-    "logo": "ipinfo.png",
-    "requirements": [
-        "An ipinfo.io token"
-    ],
-    "input": "IP address attribute.",
-    "output": "Additional information on the IP address, like its geolocation, the autonomous system it is included in, and the related domain(s).",
-    "references": [
-        "https://ipinfo.io/developers"
-    ],
-    "features": "The module takes an IP address attribute as input and queries the ipinfo.io API.  \nThe geolocation information on the IP address is always returned.\n\nDepending on the subscription plan, the API returns different pieces of information then:\n- With a basic plan (free) you get the AS number and the AS organisation name concatenated in the `org` field.\n- With a paid subscription, the AS information is returned in the `asn` field with additional AS information, and depending on which plan the user has, you can also get information on the privacy method used to protect the IP address, the related domains, or the point of contact related to the IP address in case of an abuse.\n\nMore information on the responses content is available in the [documentation](https://ipinfo.io/developers)."
-}
diff --git a/documentation/website/expansion/ipqs_fraud_and_risk_scoring.json b/documentation/website/expansion/ipqs_fraud_and_risk_scoring.json
deleted file mode 100644
index d0d4665d..00000000
--- a/documentation/website/expansion/ipqs_fraud_and_risk_scoring.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.",
-    "logo": "ipqualityscore.png",
-    "requirements": [
-        "A IPQualityScore API Key."
-    ],
-    "input": "A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).",
-    "output": "IPQualityScore object, resulting from the query on the IPQualityScore API.",
-    "references": [
-        "https://www.ipqualityscore.com/"
-    ],
-    "features": "This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.\n The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. \n The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore."
-}
diff --git a/documentation/website/expansion/iprep.json b/documentation/website/expansion/iprep.json
deleted file mode 100644
index 2e273044..00000000
--- a/documentation/website/expansion/iprep.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to query IPRep data for IP addresses.",
-    "requirements": [
-        "An access to the packetmail API (apikey)"
-    ],
-    "input": "An IP address MISP attribute.",
-    "output": "Text describing additional information about the input after a query on the IPRep API.",
-    "references": [
-        "https://github.com/mahesh557/packetmail"
-    ],
-    "features": "This module takes an IP address attribute as input and queries the database from packetmail.net to get some information about the reputation of the IP."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/joesandbox_query.json b/documentation/website/expansion/joesandbox_query.json
deleted file mode 100644
index 9fa08577..00000000
--- a/documentation/website/expansion/joesandbox_query.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.\n\nThis url can by the way come from the result of the [joesandbox_submit expansion module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py).",
-    "logo": "joesandbox.png",
-    "requirements": [
-        "jbxapi: Joe Sandbox API python3 library"
-    ],
-    "input": "Link of a Joe Sandbox sample or url submission.",
-    "output": "MISP attributes & objects parsed from the analysis report.",
-    "references": [
-        "https://www.joesecurity.org",
-        "https://www.joesandbox.com/"
-    ],
-    "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the import module [joe_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) taking directly the json report as input.\n\nEven if the introspection will allow all kinds of links to call this module, obviously only the ones presenting a sample or url submission in the Joe Sandbox API will return results.\n\nTo make it work you will need to fill the 'apikey' configuration with your Joe Sandbox API key and provide a valid link as input."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/joesandbox_submit.json b/documentation/website/expansion/joesandbox_submit.json
deleted file mode 100644
index 6da034a0..00000000
--- a/documentation/website/expansion/joesandbox_submit.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission.",
-    "logo": "joesandbox.png",
-    "requirements": [
-        "jbxapi: Joe Sandbox API python3 library"
-    ],
-    "input": "Sample, url (or domain) to submit to Joe Sandbox for an advanced analysis.",
-    "output": "Link of the report generated in Joe Sandbox.",
-    "references": [
-        "https://www.joesecurity.org",
-        "https://www.joesandbox.com/"
-    ],
-    "features": "The module requires a Joe Sandbox API key to submit files or URL, and returns the link of the submitted analysis.\n\nIt is then possible, when the analysis is completed, to query the Joe Sandbox API to get the data related to the analysis, using the [joesandbox_query module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) directly on this submission link."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/lastline_query.json b/documentation/website/expansion/lastline_query.json
deleted file mode 100644
index 9e764bba..00000000
--- a/documentation/website/expansion/lastline_query.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nQuery Lastline with an analysis link and parse the report into MISP attributes and objects.\nThe analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) expansion module.",
-    "logo": "lastline.png",
-    "requirements": [],
-    "input": "Link to a Lastline analysis.",
-    "output": "MISP attributes and objects parsed from the analysis report.",
-    "references": [
-        "https://www.lastline.com"
-    ],
-    "features": "The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) import module."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/lastline_submit.json b/documentation/website/expansion/lastline_submit.json
deleted file mode 100644
index cc394e2a..00000000
--- a/documentation/website/expansion/lastline_submit.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nModule to submit a file or URL to Lastline.",
-    "logo": "lastline.png",
-    "requirements": [],
-    "input": "File or URL to submit to Lastline.",
-    "output": "Link to the report generated by Lastline.",
-    "references": [
-        "https://www.lastline.com"
-    ],
-    "features": "The module requires a Lastline Analysis `api_token` and `key`.\nWhen the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) module."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/macaddress_io.json b/documentation/website/expansion/macaddress_io.json
deleted file mode 100644
index 013564a2..00000000
--- a/documentation/website/expansion/macaddress_io.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "MISP hover module for macaddress.io",
-    "logo": "macaddress_io.png",
-    "requirements": [
-        "maclookup: macaddress.io python library",
-        "An access to the macaddress.io API (apikey)"
-    ],
-    "input": "MAC address MISP attribute.",
-    "output": "Text containing information on the MAC address fetched from a query on macaddress.io.",
-    "references": [
-        "https://macaddress.io/",
-        "https://github.com/CodeLineFi/maclookup-python"
-    ],
-    "features": "This module takes a MAC address attribute as input and queries macaddress.io for additional information.\n\nThis information contains data about:\n- MAC address details\n- Vendor details\n- Block details"
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/macvendors.json b/documentation/website/expansion/macvendors.json
deleted file mode 100644
index 38c35887..00000000
--- a/documentation/website/expansion/macvendors.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to access Macvendors API.",
-    "logo": "macvendors.png",
-    "requirements": [],
-    "input": "A MAC address.",
-    "output": "Additional information about the MAC address.",
-    "references": [
-        "https://macvendors.com/",
-        "https://macvendors.com/api"
-    ],
-    "features": "The module takes a MAC address as input and queries macvendors.com for some information about it. The API returns the name of the vendor related to the address."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/malwarebazaar.json b/documentation/website/expansion/malwarebazaar.json
deleted file mode 100644
index 8c8228c5..00000000
--- a/documentation/website/expansion/malwarebazaar.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Query the MALWAREbazaar API to get additional information about the input hash attribute.",
-    "requirements": [],
-    "input": "A hash attribute (md5, sha1 or sha256).",
-    "output": "File object(s) related to the input attribute found on MALWAREbazaar databases.",
-    "references": [
-        "https://bazaar.abuse.ch/"
-    ],
-    "features": "The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.\n\nThe module is using the new format of modules able to return object since the result is one or multiple MISP object(s)."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/mmdb_lookup.json b/documentation/website/expansion/mmdb_lookup.json
deleted file mode 100644
index ebfbf491..00000000
--- a/documentation/website/expansion/mmdb_lookup.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.",
-    "logo": "circl.png",
-    "input": "An IP address attribute (for example ip-src or ip-src|port).",
-    "output": "Geolocation and asn objects.",
-    "references": [
-        "https://data.public.lu/fr/datasets/geo-open-ip-address-geolocation-per-country-in-mmdb-format/",
-        "https://github.com/adulau/mmdb-server"
-    ],
-    "features": "The module takes an IP address related attribute as input.\n It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required.\n It is also possible to filter results on 1 db_source by configuring db_source_filter."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/mwdb.json b/documentation/website/expansion/mwdb.json
deleted file mode 100644
index 456a160b..00000000
--- a/documentation/website/expansion/mwdb.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to push malware samples to a MWDB instance",
-    "requirements": [
-        "* mwdblib installed (pip install mwdblib) ; * (optional) keys.py file to add tags of events/attributes to MWDB * (optional) MWDB attribute created for the link back to MISP (defined in mwdb_misp_attribute)"
-    ],
-    "input": "Attachment or malware sample",
-    "output": "Link attribute that points to the sample at the MWDB instane",
-    "references": [        
-    ],
-    "features": "An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute.  * A link to the MWDB attribute is added as an enrichted attribute to the MISP event."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/ocr_enrich.json b/documentation/website/expansion/ocr_enrich.json
deleted file mode 100644
index 0e8f627e..00000000
--- a/documentation/website/expansion/ocr_enrich.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Module to process some optical character recognition on pictures.",
-    "requirements": [
-        "cv2: The OpenCV python library."
-    ],
-    "input": "A picture attachment.",
-    "output": "Text and freetext fetched from the input picture.",
-    "references": [],
-    "features": "The module takes an attachment attributes as input and process some optical character recognition on it. The text found is then passed to the Freetext importer to extract potential IoCs."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/ods_enrich.json b/documentation/website/expansion/ods_enrich.json
deleted file mode 100644
index ade41054..00000000
--- a/documentation/website/expansion/ods_enrich.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to extract freetext from a .ods document.",
-    "logo": "ods.png",
-    "requirements": [
-        "ezodf: Python package to create/manipulate OpenDocumentFormat files.",
-        "pandas_ods_reader: Python library to read in ODS files."
-    ],
-    "input": "Attachment attribute containing a .ods document.",
-    "output": "Text and freetext parsed from the document.",
-    "references": [],
-    "features": "The module reads the text contained in a .ods document. The result is passed to the freetext import parser so IoCs can be extracted out of it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/odt_enrich.json b/documentation/website/expansion/odt_enrich.json
deleted file mode 100644
index 8922a9b9..00000000
--- a/documentation/website/expansion/odt_enrich.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to extract freetext from a .odt document.",
-    "logo": "odt.png",
-    "requirements": [
-        "ODT reader python library."
-    ],
-    "input": "Attachment attribute containing a .odt document.",
-    "output": "Text and freetext parsed from the document.",
-    "references": [],
-    "features": "The module reads the text contained in a .odt document. The result is passed to the freetext import parser so IoCs can be extracted out of it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/onyphe.json b/documentation/website/expansion/onyphe.json
deleted file mode 100644
index f38ea25c..00000000
--- a/documentation/website/expansion/onyphe.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "Module to process a query on Onyphe.",
-    "logo": "onyphe.jpg",
-    "requirements": [
-        "onyphe python library",
-        "An access to the Onyphe API (apikey)"
-    ],
-    "input": "A domain, hostname or IP address MISP attribute.",
-    "output": "MISP attributes fetched from the Onyphe query.",
-    "references": [
-        "https://www.onyphe.io/",
-        "https://github.com/sebdraven/pyonyphe"
-    ],
-    "features": "This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/onyphe_full.json b/documentation/website/expansion/onyphe_full.json
deleted file mode 100644
index e1a040a5..00000000
--- a/documentation/website/expansion/onyphe_full.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "description": "Module to process a full query on Onyphe.",
-    "logo": "onyphe.jpg",
-    "requirements": [
-        "onyphe python library",
-        "An access to the Onyphe API (apikey)"
-    ],
-    "input": "A domain, hostname or IP address MISP attribute.",
-    "output": "MISP attributes fetched from the Onyphe query.",
-    "references": [
-        "https://www.onyphe.io/",
-        "https://github.com/sebdraven/pyonyphe"
-    ],
-    "features": "This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.\n\nThe parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/otx.json b/documentation/website/expansion/otx.json
deleted file mode 100644
index a17e2ff6..00000000
--- a/documentation/website/expansion/otx.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to get information from AlienVault OTX.",
-    "logo": "otx.png",
-    "requirements": [
-        "An access to the OTX API (apikey)"
-    ],
-    "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512",
-    "output": "MISP attributes mapped from the result of the query on OTX, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- email",
-    "references": [
-        "https://www.alienvault.com/open-threat-exchange"
-    ],
-    "features": "This module takes a MISP attribute as input to query the OTX Alienvault API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/passivessh.json b/documentation/website/expansion/passivessh.json
deleted file mode 100644
index 68f7eb74..00000000
--- a/documentation/website/expansion/passivessh.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "An expansion module to query the CIRCL Passive SSH.",
-    "logo": "passivessh.png",
-    "input": "IP addresses or SSH fingerprints",
-    "output": "SSH key materials, complementary IP addresses with similar SSH key materials",
-    "references": [
-        "https://github.com/D4-project/passive-ssh"
-    ],
-    "features": "The module queries the Passive SSH service from CIRCL.\n \n The module can be used an hover module but also an expansion model to add related MISP objects.\n"
-}
diff --git a/documentation/website/expansion/passivetotal.json b/documentation/website/expansion/passivetotal.json
deleted file mode 100644
index 26835d50..00000000
--- a/documentation/website/expansion/passivetotal.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "",
-    "logo": "passivetotal.png",
-    "requirements": [
-        "Passivetotal python library",
-        "An access to the PassiveTotal API (apikey)"
-    ],
-    "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- x509-fingerprint-sha1\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-phone\n- text\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date",
-    "output": "MISP attributes mapped from the result of the query on PassiveTotal, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- x509-fingerprint-sha1\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-phone\n- text\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- md5\n- sha1\n- sha256\n- link",
-    "references": [
-        "https://www.passivetotal.org/register"
-    ],
-    "features": "The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register"
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/pdf_enrich.json b/documentation/website/expansion/pdf_enrich.json
deleted file mode 100644
index a17ef515..00000000
--- a/documentation/website/expansion/pdf_enrich.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to extract freetext from a PDF document.",
-    "logo": "pdf.jpg",
-    "requirements": [
-        "pdftotext: Python library to extract text from PDF."
-    ],
-    "input": "Attachment attribute containing a PDF document.",
-    "output": "Text and freetext parsed from the document.",
-    "references": [],
-    "features": "The module reads the text contained in a PDF document. The result is passed to the freetext import parser so IoCs can be extracted out of it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/pptx_enrich.json b/documentation/website/expansion/pptx_enrich.json
deleted file mode 100644
index 664c70ab..00000000
--- a/documentation/website/expansion/pptx_enrich.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to extract freetext from a .pptx document.",
-    "logo": "pptx.png",
-    "requirements": [
-        "pptx: Python library to read PowerPoint files."
-    ],
-    "input": "Attachment attribute containing a .pptx document.",
-    "output": "Text and freetext parsed from the document.",
-    "references": [],
-    "features": "The module reads the text contained in a .pptx document. The result is passed to the freetext import parser so IoCs can be extracted out of it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/qintel_qsentry.json b/documentation/website/expansion/qintel_qsentry.json
deleted file mode 100644
index 4994a62e..00000000
--- a/documentation/website/expansion/qintel_qsentry.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "A hover and expansion module which queries Qintel QSentry for ip reputation data",
-    "logo": "qintel.png",
-    "requirements": [
-        "A Qintel API token"
-    ],
-    "input": "ip address attribute",
-    "ouput": "Objects containing the enriched IP, threat tags, last seen attributes and associated Autonomous System information",
-    "features": "This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data",
-    "references": [
-        "https://www.qintel.com/products/qsentry/"
-    ]
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/qrcode.json b/documentation/website/expansion/qrcode.json
deleted file mode 100644
index f5855116..00000000
--- a/documentation/website/expansion/qrcode.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to decode QR codes.",
-    "requirements": [
-        "cv2: The OpenCV python library.",
-        "pyzbar: Python library to read QR codes."
-    ],
-    "input": "A QR code stored as attachment attribute.",
-    "output": "The URL or bitcoin address the QR code is pointing to.",
-    "references": [],
-    "features": "The module reads the QR code and returns the related address, which can be an URL or a bitcoin address."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/ransomcoindb.json b/documentation/website/expansion/ransomcoindb.json
deleted file mode 100644
index 26c3c556..00000000
--- a/documentation/website/expansion/ransomcoindb.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "descrption": "Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.",
-    "requirements": [
-        "A ransomcoinDB API key."
-    ],
-    "input": "A hash (md5, sha1 or sha256) or btc attribute.",
-    "output": "Hashes associated to a btc address or btc addresses associated to a hash.",
-    "references": [
-        "https://ransomcoindb.concinnity-risks.com"
-    ],
-    "features": "The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data.\n\nIf the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/rbl.json b/documentation/website/expansion/rbl.json
deleted file mode 100644
index 942daa70..00000000
--- a/documentation/website/expansion/rbl.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to check an IPv4 address against known RBLs.",
-    "requirements": [
-        "dnspython3: DNS python3 library"
-    ],
-    "input": "IP address attribute.",
-    "output": "Text with additional data from Real-time Blackhost Lists about the IP address.",
-    "references": [
-        "[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)"
-    ],
-    "features": "This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/recordedfuture.json b/documentation/website/expansion/recordedfuture.json
deleted file mode 100644
index 91cf23eb..00000000
--- a/documentation/website/expansion/recordedfuture.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to enrich attributes with threat intelligence from Recorded Future.",
-    "logo": "recordedfuture.png",
-    "requirements": [
-        "A Recorded Future API token."
-    ],
-    "input": "A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.",
-    "output": "A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute.",
-    "references": [
-        "https://www.recordedfuture.com/"
-    ],
-    "features": "Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/reversedns.json b/documentation/website/expansion/reversedns.json
deleted file mode 100644
index cdd34192..00000000
--- a/documentation/website/expansion/reversedns.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "description": "Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.",
-    "requirements": [
-        "DNS python library"
-    ],
-    "input": "An IP address attribute.",
-    "output": "Hostname attribute the input is resolved into.",
-    "features": "The module takes an IP address as input and tries to find the hostname this IP address is resolved into.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing IP addresses are supported as well."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/securitytrails.json b/documentation/website/expansion/securitytrails.json
deleted file mode 100644
index 97f81b4c..00000000
--- a/documentation/website/expansion/securitytrails.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion modules for SecurityTrails.",
-    "logo": "securitytrails.png",
-    "requirements": [
-        "dnstrails python library",
-        "An access to the SecurityTrails API (apikey)"
-    ],
-    "input": "A domain, hostname or IP address attribute.",
-    "output": "MISP attributes resulting from the query on SecurityTrails API, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain",
-    "references": [
-        "https://securitytrails.com/"
-    ],
-    "features": "The module takes a domain, hostname or IP address attribute as input and queries the SecurityTrails API with it.\n\nMultiple parsing operations are then processed on the result of the query to extract a much information as possible.\n\nFrom this data extracted are then mapped MISP attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/shodan.json b/documentation/website/expansion/shodan.json
deleted file mode 100644
index 703a0847..00000000
--- a/documentation/website/expansion/shodan.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Module to query on Shodan.",
-    "logo": "shodan.png",
-    "requirements": [
-        "shodan python library",
-        "An access to the Shodan API (apikey)"
-    ],
-    "input": "An IP address MISP attribute.",
-    "output": "Text with additional data about the input, resulting from the query on Shodan.",
-    "references": [
-        "https://www.shodan.io/"
-    ],
-    "features": "The module takes an IP address as input and queries the Shodan API to get some additional data about it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/sigma_queries.json b/documentation/website/expansion/sigma_queries.json
deleted file mode 100644
index c9671125..00000000
--- a/documentation/website/expansion/sigma_queries.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion hover module to display the result of sigma queries.",
-    "logo": "sigma.png",
-    "requirements": [
-        "Sigma python library"
-    ],
-    "input": "A Sigma attribute.",
-    "output": "Text displaying results of queries on the Sigma attribute.",
-    "references": [
-        "https://github.com/Neo23x0/sigma/wiki"
-    ],
-    "features": "This module takes a Sigma rule attribute as input and tries all the different queries available to convert it into different formats recognized by SIEMs."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/sigma_syntax_validator.json b/documentation/website/expansion/sigma_syntax_validator.json
deleted file mode 100644
index b90c931d..00000000
--- a/documentation/website/expansion/sigma_syntax_validator.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion hover module to perform a syntax check on sigma rules.",
-    "logo": "sigma.png",
-    "requirements": [
-        "Sigma python library",
-        "Yaml python library"
-    ],
-    "input": "A Sigma attribute.",
-    "output": "Text describing the validity of the Sigma rule.",
-    "references": [
-        "https://github.com/Neo23x0/sigma/wiki"
-    ],
-    "features": "This module takes a Sigma rule attribute as input and performs a syntax check on it.\n\nIt displays then that the rule is valid if it is the case, and the error related to the rule otherwise."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/sigmf-expand.json b/documentation/website/expansion/sigmf-expand.json
deleted file mode 100644
index 2a0fe024..00000000
--- a/documentation/website/expansion/sigmf-expand.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Enrichs a SigMF Recording or extracts a SigMF Archive into a SigMF Recording.",
-    "requirements": [
-        "matplotlib: For plotting the waterfall plot of the recording.",
-        "numpy: For the waterfall plot of the recording.",
-        "sigmf: For validating SigMF files."
-    ],
-    "input": "Object of sigmf-archive or sigmf-recording template.",
-    "output": "Object of sigmf-expanded-recording or sigmf-recording template.",
-    "references": [
-        "https://github.com/sigmf/SigMF"
-    ],
-    "features": "This module can be used to expand a SigMF Recording object into a SigMF Expanded Recording object with a waterfall plot or to extract a SigMF Archive object into a SigMF Recording objet."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/socialscan.json b/documentation/website/expansion/socialscan.json
deleted file mode 100644
index a1cf359b..00000000
--- a/documentation/website/expansion/socialscan.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-    "description": "A hover module to get information on the availability of an email address or username on some online platforms.",
-    "requirements": ["The socialscan python library"],
-    "input": "An email address or usename attribute.",
-    "output": "Text containing information about the availability of an email address or a username in some online platforms.",
-    "references": ["https://github.com/iojw/socialscan"],
-    "features": "The module takes an email address or username as input and check its availability on some online platforms. The results for each platform are then returned to see if the email address or the username is used, available or if there is an issue with it."
-}
diff --git a/documentation/website/expansion/sophoslabs_intelix.json b/documentation/website/expansion/sophoslabs_intelix.json
deleted file mode 100644
index 88711924..00000000
--- a/documentation/website/expansion/sophoslabs_intelix.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.",
-    "logo": "sophoslabs_intelix.svg",
-    "requirements": [
-        "A client_id and client_secret pair to authenticate to the SophosLabs Intelix API"
-    ],
-    "input": "An ip address, url, domain or sha256 attribute.",
-    "output": "SophosLabs Intelix report and lookup objects",
-    "references": [
-        "https://aws.amazon.com/marketplace/pp/B07SLZPMCS"
-    ],
-    "features": "The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/sourcecache.json b/documentation/website/expansion/sourcecache.json
deleted file mode 100644
index 4340f2c4..00000000
--- a/documentation/website/expansion/sourcecache.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
-    "requirements": [
-        "urlarchiver: python library to fetch and archive URL on the file-system"
-    ],
-    "input": "A link or url attribute.",
-    "output": "A malware-sample attribute describing the cached page.",
-    "references": [
-        "https://github.com/adulau/url_archiver"
-    ],
-    "features": "This module takes a link or url attribute as input and caches the related web page. It returns then a link of the cached page."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/stairwell.json b/documentation/website/expansion/stairwell.json
deleted file mode 100644
index 21159783..00000000
--- a/documentation/website/expansion/stairwell.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "description": "Module to query the Stairwell API to get additional information about the input hash attribute",
-  "logo": "stairwell.png",
-  "requirements": [
-    "Access to Stairwell platform (apikey)"
-  ],
-  "input": "A hash attribute (md5, sha1, sha256).",
-  "output": "File object related to the input attribute found on Stairwell platform.",
-  "references": [
-    "https://stairwell.com",
-    "https://docs.stairwell.com"
-  ],
-  "features": "The module takes a hash attribute as input and queries Stariwell's API to fetch additional data about it. The result, if the payload is observed in Stariwell, is a file object describing the file the input hash is related to."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/stix2_pattern_syntax_validator.json b/documentation/website/expansion/stix2_pattern_syntax_validator.json
deleted file mode 100644
index 0ac079dc..00000000
--- a/documentation/website/expansion/stix2_pattern_syntax_validator.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion hover module to perform a syntax check on stix2 patterns.",
-    "logo": "stix.png",
-    "requirements": [
-        "stix2patterns python library"
-    ],
-    "input": "A STIX2 pattern attribute.",
-    "output": "Text describing the validity of the STIX2 pattern.",
-    "references": [
-        "[STIX2.0 patterning specifications](http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.html)"
-    ],
-    "features": "This module takes a STIX2 pattern attribute as input and performs a syntax check on it.\n\nIt displays then that the rule is valid if it is the case, and the error related to the rule otherwise."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/threatcrowd.json b/documentation/website/expansion/threatcrowd.json
deleted file mode 100644
index e279ece5..00000000
--- a/documentation/website/expansion/threatcrowd.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Module to get information from ThreatCrowd.",
-    "logo": "threatcrowd.png",
-    "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512\n- whois-registrant-email",
-    "output": "MISP attributes mapped from the result of the query on ThreatCrowd, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- hostname\n- whois-registrant-email",
-    "references": [
-        "https://www.threatcrowd.org/"
-    ],
-    "features": "This module takes a MISP attribute as input and queries ThreatCrowd with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/threatminer.json b/documentation/website/expansion/threatminer.json
deleted file mode 100644
index 0b0d6416..00000000
--- a/documentation/website/expansion/threatminer.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Module to get information from ThreatMiner.",
-    "logo": "threatminer.png",
-    "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512",
-    "output": "MISP attributes mapped from the result of the query on ThreatMiner, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- ssdeep\n- authentihash\n- filename\n- whois-registrant-email\n- url\n- link",
-    "references": [
-        "https://www.threatminer.org/"
-    ],
-    "features": "This module takes a MISP attribute as input and queries ThreatMiner with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/trustar_enrich.json b/documentation/website/expansion/trustar_enrich.json
deleted file mode 100644
index 415f52d2..00000000
--- a/documentation/website/expansion/trustar_enrich.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Module to get enrich indicators with TruSTAR.",
-    "logo": "trustar.png",
-    "input": "Any of the following MISP attributes:\n- btc\n- domain\n- email-src\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- url",
-    "output": "MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.",
-    "references": [
-        "https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html"
-    ],
-    "features": "This module enriches MISP attributes with scoring and metadata from TruSTAR.\n\nThe TruSTAR indicator summary is appended to the attributes along with links to any associated reports."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/urlhaus.json b/documentation/website/expansion/urlhaus.json
deleted file mode 100644
index cd596610..00000000
--- a/documentation/website/expansion/urlhaus.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Query of the URLhaus API to get additional information about the input attribute.",
-    "logo": "urlhaus.png",
-    "requirements": [],
-    "input": "A domain, hostname, url, ip, md5 or sha256 attribute.",
-    "output": "MISP attributes & objects fetched from the result of the URLhaus API query.",
-    "references": [
-        "https://urlhaus.abuse.ch/"
-    ],
-    "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module takes one of the attribute type specified as input, and query the URLhaus API with it. If any result is returned by the API, attributes and objects are created accordingly."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/urlscan.json b/documentation/website/expansion/urlscan.json
deleted file mode 100644
index 3aab2ab5..00000000
--- a/documentation/website/expansion/urlscan.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module to query urlscan.io.",
-    "logo": "urlscan.jpg",
-    "requirements": [
-        "An access to the urlscan.io API"
-    ],
-    "input": "A domain, hostname or url attribute.",
-    "output": "MISP attributes mapped from the result of the query on urlscan.io.",
-    "references": [
-        "https://urlscan.io/"
-    ],
-    "features": "This module takes a MISP attribute as input and queries urlscan.io with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/variotdbs.json b/documentation/website/expansion/variotdbs.json
deleted file mode 100644
index f5618661..00000000
--- a/documentation/website/expansion/variotdbs.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module to query the VARIoT db API for more information about a vulnerability.",
-    "logo": "variot.png",
-    "requirements": [
-        "A VARIoT db API key (if you do not want to be limited to 100 queries / day)"
-    ],
-    "input": "Vulnerability attribute.",
-    "output": "Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.",
-    "references": [
-        "https://www.variotdbs.pl/"
-    ],
-    "features": "The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.\n\nThe `vuln` endpoint is queried first to look for additional information about the vulnerability itself.\n\nThe `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template."
-}
diff --git a/documentation/website/expansion/virustotal.json b/documentation/website/expansion/virustotal.json
deleted file mode 100644
index 1900fd52..00000000
--- a/documentation/website/expansion/virustotal.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Module to get advanced information from virustotal.",
-    "logo": "virustotal.png",
-    "requirements": [
-        "An access to the VirusTotal API (apikey), with a high request rate limit."
-    ],
-    "input": "A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.",
-    "output": "MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.",
-    "references": [
-        "https://www.virustotal.com/",
-        "https://docs.virustotal.com/reference/overview"
-    ],
-    "features": "New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal_public.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.\n\nThus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/virustotal_public.json b/documentation/website/expansion/virustotal_public.json
deleted file mode 100644
index 3a5086cf..00000000
--- a/documentation/website/expansion/virustotal_public.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Module to get information from VirusTotal.",
-    "logo": "virustotal.png",
-    "requirements": [
-        "An access to the VirusTotal API (apikey)"
-    ],
-    "input": "A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.",
-    "output": "MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.",
-    "references": [
-        "https://www.virustotal.com",
-        "https://docs.virustotal.com/reference/overview"
-    ],
-    "features": "New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.\n\nThus, it only queries the API once and returns the results that is parsed into MISP attributes and objects."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/vmray_submit.json b/documentation/website/expansion/vmray_submit.json
deleted file mode 100644
index 2b387923..00000000
--- a/documentation/website/expansion/vmray_submit.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to submit a sample to VMRay.",
-    "logo": "vmray.png",
-    "requirements": [
-        "An access to the VMRay API (apikey & url)"
-    ],
-    "input": "An attachment or malware-sample attribute.",
-    "output": "MISP attributes mapped from the result of the query on VMRay API, included in the following list:\n- text\n- sha1\n- sha256\n- md5\n- link",
-    "references": [
-        "https://www.vmray.com/"
-    ],
-    "features": "This module takes an attachment or malware-sample attribute as input to query the VMRay API.\n\nThe sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/vmware_nsx.json b/documentation/website/expansion/vmware_nsx.json
deleted file mode 100644
index c7e5b024..00000000
--- a/documentation/website/expansion/vmware_nsx.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "description": "Module to enrich a file or URL with VMware NSX Defender.",
-  "logo": "vmware_nsx.png",
-  "requirements": [
-    "The module requires a VMware NSX Defender Analysis `api_token` and `key`."
-  ],
-  "input": "File hash, attachment or URL to be enriched with VMware NSX Defender.",
-  "output": "Objects and tags generated by VMware NSX Defender.",
-  "references": [
-    "https://www.vmware.com"
-  ],
-  "features": "This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender.\n\nThe IoC is then enriched with data from VMware NSX Defender."
-}
-
diff --git a/documentation/website/expansion/vulndb.json b/documentation/website/expansion/vulndb.json
deleted file mode 100644
index e1dd869c..00000000
--- a/documentation/website/expansion/vulndb.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to query VulnDB (RiskBasedSecurity.com).",
-    "logo": "vulndb.png",
-    "requirements": [
-        "An access to the VulnDB API (apikey, apisecret)"
-    ],
-    "input": "A vulnerability attribute.",
-    "output": "Additional data enriching the CVE input, fetched from VulnDB.",
-    "references": [
-        "https://vulndb.cyberriskanalytics.com/"
-    ],
-    "features": "This module takes a vulnerability attribute as input and queries VulnDB in order to get some additional data about it.\n\nThe API gives the result of the query which can be displayed in the screen, and/or mapped into MISP attributes to add in the event."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/vulners.json b/documentation/website/expansion/vulners.json
deleted file mode 100644
index ab5a7786..00000000
--- a/documentation/website/expansion/vulners.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion hover module to expand information about CVE id using Vulners API.",
-    "logo": "vulners.png",
-    "requirements": [
-        "Vulners python library",
-        "An access to the Vulners API"
-    ],
-    "input": "A vulnerability attribute.",
-    "output": "Text giving additional information about the CVE in input.",
-    "references": [
-        "https://vulners.com/"
-    ],
-    "features": "This module takes a vulnerability attribute as input and queries the Vulners API in order to get some additional data about it.\n\nThe API then returns details about the vulnerability."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/vysion.json b/documentation/website/expansion/vysion.json
deleted file mode 100644
index 20eb2df9..00000000
--- a/documentation/website/expansion/vysion.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-    "description": "Module to enrich the information by making use of the Vysion API.",
-    "logo": "vysion.png",
-    "requirements": [
-        "Vysion python library",
-        "Vysion API Key"
-    ],
-    "input": "company(target-org), country, info, BTC, XMR and DASH address.",
-    "output": "MISP objects containing title, link to our webapp and TOR, i2p or clearnet URLs.",
-    "references": [
-        "https://vysion.ai/",
-        "https://developers.vysion.ai/",
-        "https://github.com/ByronLabs/vysion-cti/tree/main"        
-    ],
-    "features": "This module gets correlated information from Byron Labs' dark web intelligence database. With this you will get several objects containing information related to, for example, an organization victim of a ransomware attack."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/whois.json b/documentation/website/expansion/whois.json
deleted file mode 100644
index bba08280..00000000
--- a/documentation/website/expansion/whois.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).",
-    "requirements": [
-        "uwhois: A whois python library"
-    ],
-    "input": "A domain or IP address attribute.",
-    "output": "Text describing the result of a whois request for the input value.",
-    "references": [
-        "https://github.com/rafiot/uwhoisd"
-    ],
-    "features": "This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server)."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/whoisfreaks.json b/documentation/website/expansion/whoisfreaks.json
deleted file mode 100644
index 0e55373d..00000000
--- a/documentation/website/expansion/whoisfreaks.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.\nOur Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security. \nExplore our website's product section at https://whoisfreaks.com/ for a wide range of additional services catering to threat intelligence and attack surface analysis needs.",
-    "logo": "whoisfreaks.png",
-    "requirements": [
-        "An access to the Whoisfreaks API_KEY"
-    ],
-    "input": "A domain whose Data is required",
-    "output": "MISP attributes resulting from the query on Whoisfreaks API, included in the following list:\n- domain\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain",
-    "references": [
-        "https://whoisfreaks.com/"
-    ],
-    "features": "The module takes a domain as input and queries the Whoisfreaks API with it.\n\nSome parsing operations are then processed on the result of the query to extract as much information as possible.\n\nAfter this we map the extracted data to MISP attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/wiki.json b/documentation/website/expansion/wiki.json
deleted file mode 100644
index 36bb0099..00000000
--- a/documentation/website/expansion/wiki.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.",
-    "logo": "wikidata.png",
-    "requirements": [
-        "SPARQLWrapper python library"
-    ],
-    "input": "Text attribute.",
-    "output": "Text attribute.",
-    "references": [
-        "https://www.wikidata.org"
-    ],
-    "features": "This module takes a text attribute as input and queries the Wikidata API. If the text attribute is clear enough to define a specific term, the API returns a wikidata link in response."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/xforceexchange.json b/documentation/website/expansion/xforceexchange.json
deleted file mode 100644
index fe6fcbb8..00000000
--- a/documentation/website/expansion/xforceexchange.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion module for IBM X-Force Exchange.",
-    "logo": "xforce.png",
-    "requirements": [
-        "An access to the X-Force API (apikey)"
-    ],
-    "input": "A MISP attribute included in the following list:\n- ip-src\n- ip-dst\n- vulnerability\n- md5\n- sha1\n- sha256",
-    "output": "MISP attributes mapped from the result of the query on X-Force Exchange.",
-    "references": [
-        "https://exchange.xforce.ibmcloud.com/"
-    ],
-    "features": "This module takes a MISP attribute as input to query the X-Force API. The API returns then additional information known in their threats data, that is mapped into MISP attributes."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/xlsx_enrich.json b/documentation/website/expansion/xlsx_enrich.json
deleted file mode 100644
index dff623da..00000000
--- a/documentation/website/expansion/xlsx_enrich.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to extract freetext from a .xlsx document.",
-    "logo": "xlsx.png",
-    "requirements": [
-        "pandas: Python library to perform data analysis, time series and statistics."
-    ],
-    "input": "Attachment attribute containing a .xlsx document.",
-    "output": "Text and freetext parsed from the document.",
-    "references": [],
-    "features": "The module reads the text contained in a .xlsx document. The result is passed to the freetext import parser so IoCs can be extracted out of it."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/yara_query.json b/documentation/website/expansion/yara_query.json
deleted file mode 100644
index 453e5993..00000000
--- a/documentation/website/expansion/yara_query.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "An expansion & hover module to translate any hash attribute into a yara rule.",
-    "logo": "yara.png",
-    "requirements": [
-        "yara-python python library"
-    ],
-    "features": "The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.\nBoth hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.",
-    "input": "MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type).",
-    "output": "YARA rule.",
-    "references": [
-        "https://virustotal.github.io/yara/",
-        "https://github.com/virustotal/yara-python"
-    ]
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/yara_syntax_validator.json b/documentation/website/expansion/yara_syntax_validator.json
deleted file mode 100644
index 72550b2b..00000000
--- a/documentation/website/expansion/yara_syntax_validator.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "An expansion hover module to perform a syntax check on if yara rules are valid or not.",
-    "logo": "yara.png",
-    "requirements": [
-        "yara_python python library"
-    ],
-    "input": "YARA rule attribute.",
-    "output": "Text to inform users if their rule is valid.",
-    "references": [
-        "http://virustotal.github.io/yara/"
-    ],
-    "features": "This modules simply takes a YARA rule as input, and checks its syntax. It returns then a confirmation if the syntax is valid, otherwise the syntax error is displayed."
-}
\ No newline at end of file
diff --git a/documentation/website/expansion/yeti.json b/documentation/website/expansion/yeti.json
deleted file mode 100644
index 93341dc5..00000000
--- a/documentation/website/expansion/yeti.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "description": "Module to process a query on Yeti.",
-    "logo": "yeti.png",
-    "requirements": ["pyeti", "API key "],
-    "input": "A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.",
-    "output": "MISP attributes and objects fetched from the Yeti instances.",
-    "references": ["https://github.com/yeti-platform/yeti", "https://github.com/sebdraven/pyeti"],
-    "features": "This module add context and links between observables using yeti"
-}
diff --git a/documentation/website/export_mod/cef_export.json b/documentation/website/export_mod/cef_export.json
deleted file mode 100644
index cd247a72..00000000
--- a/documentation/website/export_mod/cef_export.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Module to export a MISP event in CEF format.",
-    "requirements": [],
-    "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.\nThus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.",
-    "references": [
-        "https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537"
-    ],
-    "input": "MISP Event attributes",
-    "output": "Common Event Format file"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/cisco_firesight_manager_ACL_rule_export.json b/documentation/website/export_mod/cisco_firesight_manager_ACL_rule_export.json
deleted file mode 100644
index b9c72f93..00000000
--- a/documentation/website/export_mod/cisco_firesight_manager_ACL_rule_export.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.",
-    "logo": "cisco.png",
-    "requirements": [
-        "Firesight manager console credentials"
-    ],
-    "input": "Network activity attributes (IPs, URLs).",
-    "output": "Cisco fireSIGHT manager block rules.",
-    "references": [],
-    "features": "The module goes through the attributes to find all the network activity ones in order to create block rules for the Cisco fireSIGHT manager."
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/defender_endpoint_export.json b/documentation/website/export_mod/defender_endpoint_export.json
deleted file mode 100644
index ee45766e..00000000
--- a/documentation/website/export_mod/defender_endpoint_export.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Defender for Endpoint KQL hunting query export module",
-    "requirements": [],
-    "features": "This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC.",
-    "references": [
-        "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference"
-    ],
-    "input": "MISP Event attributes",
-    "output": "Defender for Endpoint KQL queries",
-    "logo": "defender_endpoint.png"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/goamlexport.json b/documentation/website/export_mod/goamlexport.json
deleted file mode 100644
index aaab295b..00000000
--- a/documentation/website/export_mod/goamlexport.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "This module is used to export MISP events containing transaction objects into GoAML format.",
-    "logo": "goAML.jpg",
-    "requirements": [
-        "PyMISP",
-        "MISP objects"
-    ],
-    "features": "The module works as long as there is at least one transaction object in the Event.\n\nThen in order to have a valid GoAML document, please follow these guidelines:\n- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction.\n- Create an object reference for both origin and target objects of the transaction.\n- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account.\n- A person can have an address, which is a geolocation object, put as object reference of the person.\n\nSupported relation types for object references that are recommended for each object are the folowing:\n- transaction:\n\t- 'from', 'from_my_client': Origin of the transaction - at least one of them is required.\n\t- 'to', 'to_my_client': Target of the transaction - at least one of them is required.\n\t- 'address': Location of the transaction - optional.\n- bank-account:\n\t- 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory.\n\t- 'entity': Entity owning the bank account - optional.\n- person:\n\t- 'address': Address of a person - optional.",
-    "references": [
-        "http://goaml.unodc.org/"
-    ],
-    "input": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.",
-    "output": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities)."
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/liteexport.json b/documentation/website/export_mod/liteexport.json
deleted file mode 100644
index 1f910399..00000000
--- a/documentation/website/export_mod/liteexport.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-    "description": "Lite export of a MISP event.",
-    "requirements": [],
-    "features": "This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.",
-    "references": [],
-    "input": "MISP Event attributes",
-    "output": "Lite MISP Event"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/mass_eql_export.json b/documentation/website/export_mod/mass_eql_export.json
deleted file mode 100644
index 30b12a9b..00000000
--- a/documentation/website/export_mod/mass_eql_export.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Mass EQL query export for a MISP event.",
-    "logo": "eql.png",
-    "requirements": [],
-    "features": "This module produces EQL queries for all relevant attributes in a MISP event.",
-    "references": [
-        "https://eql.readthedocs.io/en/latest/"
-    ],
-    "input": "MISP Event attributes",
-    "output": "Text file containing one or more EQL queries"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/nexthinkexport.json b/documentation/website/export_mod/nexthinkexport.json
deleted file mode 100644
index 0c06f9eb..00000000
--- a/documentation/website/export_mod/nexthinkexport.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Nexthink NXQL query export module",
-    "requirements": [],
-    "features": "This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell",
-    "references": [
-        "https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2"
-    ],
-    "input": "MISP Event attributes",
-    "output": "Nexthink NXQL queries",
-    "logo": "nexthink.svg"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/osqueryexport.json b/documentation/website/export_mod/osqueryexport.json
deleted file mode 100644
index 5b563c00..00000000
--- a/documentation/website/export_mod/osqueryexport.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-    "description": "OSQuery export of a MISP event.",
-    "requirements": [],
-    "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.",
-    "references": [],
-    "input": "MISP Event attributes",
-    "output": "osquery SQL queries",
-    "logo": "osquery.png"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/pdfexport.json b/documentation/website/export_mod/pdfexport.json
deleted file mode 100644
index b23c6815..00000000
--- a/documentation/website/export_mod/pdfexport.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Simple export of a MISP event to PDF.",
-    "requirements": [
-        "PyMISP",
-        "reportlab"
-    ],
-    "features": "The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.\n  'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata\n  'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event\n  'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.\n  'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !\n  'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.\n  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option ",
-    "references": [
-        "https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html"
-    ],
-    "input": "MISP Event",
-    "output": "MISP Event in a PDF file."
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/testexport.json b/documentation/website/export_mod/testexport.json
deleted file mode 100644
index 884ccbe0..00000000
--- a/documentation/website/export_mod/testexport.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-    "description": "Skeleton export module."
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/threatStream_misp_export.json b/documentation/website/export_mod/threatStream_misp_export.json
deleted file mode 100644
index b096f411..00000000
--- a/documentation/website/export_mod/threatStream_misp_export.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "description": "Module to export a structured CSV file for uploading to threatStream.",
-    "logo": "threatstream.png",
-    "requirements": [
-        "csv"
-    ],
-    "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream.",
-    "references": [
-        "https://www.anomali.com/platform/threatstream",
-        "https://github.com/threatstream"
-    ],
-    "input": "MISP Event attributes",
-    "output": "ThreatStream CSV format file"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/threat_connect_export.json b/documentation/website/export_mod/threat_connect_export.json
deleted file mode 100644
index 23708ddb..00000000
--- a/documentation/website/export_mod/threat_connect_export.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to export a structured CSV file for uploading to ThreatConnect.",
-    "logo": "threatconnect.png",
-    "requirements": [
-        "csv"
-    ],
-    "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.\nUsers should then provide, as module configuration, the source of data they export, because it is required by the output format.",
-    "references": [
-        "https://www.threatconnect.com"
-    ],
-    "input": "MISP Event attributes",
-    "output": "ThreatConnect CSV format file"
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/virustotal_collections.json b/documentation/website/export_mod/virustotal_collections.json
deleted file mode 100644
index 1ecdbe92..00000000
--- a/documentation/website/export_mod/virustotal_collections.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "description": "Creates a VT Collection from an event iocs.",
-  "logo": "virustotal.png",
-  "requirements": [
-    "An access to the VirusTotal API (apikey)."
-  ],
-  "input": "A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute.",
-  "output": "A VirusTotal collection in VT.",
-  "references": [
-    "https://www.virustotal.com/",
-    "https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html"
-  ],
-  "features": "This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button."
-}
diff --git a/documentation/website/export_mod/vt_graph.json b/documentation/website/export_mod/vt_graph.json
deleted file mode 100644
index 993c7917..00000000
--- a/documentation/website/export_mod/vt_graph.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "This module is used to create a VirusTotal Graph from a MISP event.",
-    "logo": "virustotal.png",
-    "requirements": [
-        "vt_graph_api, the python library to query the VirusTotal graph API"
-    ],
-    "features": "The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.\n\nOnce the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.",
-    "references": [
-        "https://www.virustotal.com/gui/graph-overview"
-    ],
-    "input": "A MISP event.",
-    "output": "Link of the VirusTotal Graph created for the event."
-}
\ No newline at end of file
diff --git a/documentation/website/export_mod/yara_export.json b/documentation/website/export_mod/yara_export.json
deleted file mode 100644
index caa258fd..00000000
--- a/documentation/website/export_mod/yara_export.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "This module is used to export MISP events to YARA.",
-    "logo": "yara.png",
-    "requirements": [
-        "yara-python python library"
-    ],
-    "features": "The module will dynamically generate YARA rules for attributes that are marked as to IDS. Basic metadata about the event is added to the rule.\nAttributes that are already YARA rules are also exported, with a rewritten rule name.",
-    "references": [
-        "https://virustotal.github.io/yara/"
-    ],
-    "input": "Attributes and Objects.",
-    "output": "A YARA file that can be used with the YARA scanning tool."
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/cof2misp.json b/documentation/website/import_mod/cof2misp.json
deleted file mode 100644
index cbbb0ccf..00000000
--- a/documentation/website/import_mod/cof2misp.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Passive DNS Common Output Format (COF) MISP importer",
-    "requirements": [
-        "PyMISP"
-    ],
-    "features": "Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input.",
-    "references": [
-        "https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html"
-    ],
-    "input": "Passive DNS output in Common Output Format (COF)",
-    "output": "MISP objects"
-}
diff --git a/documentation/website/import_mod/csvimport.json b/documentation/website/import_mod/csvimport.json
deleted file mode 100644
index 61bc6ccd..00000000
--- a/documentation/website/import_mod/csvimport.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to import MISP attributes from a csv file.",
-    "requirements": [
-        "PyMISP"
-    ],
-    "features": "In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.\n\nThis header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').\n\nIf the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.",
-    "references": [
-        "https://tools.ietf.org/html/rfc4180",
-        "https://tools.ietf.org/html/rfc7111"
-    ],
-    "input": "CSV format file.",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/cuckooimport.json b/documentation/website/import_mod/cuckooimport.json
deleted file mode 100644
index 2e51ea8e..00000000
--- a/documentation/website/import_mod/cuckooimport.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to import Cuckoo JSON.",
-    "logo": "cuckoo.png",
-    "requirements": [],
-    "features": "The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.",
-    "references": [
-        "https://cuckoosandbox.org/",
-        "https://github.com/cuckoosandbox/cuckoo"
-    ],
-    "input": "Cuckoo JSON file",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/email_import.json b/documentation/website/import_mod/email_import.json
deleted file mode 100644
index 95ec3c78..00000000
--- a/documentation/website/import_mod/email_import.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-    "description": "Module to import emails in MISP.",
-    "requirements": [],
-    "features": "This module can be used to import e-mail text as well as attachments and urls.\n3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.",
-    "references": [],
-    "input": "E-mail file",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/goamlimport.json b/documentation/website/import_mod/goamlimport.json
deleted file mode 100644
index e8f12cfc..00000000
--- a/documentation/website/import_mod/goamlimport.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Module to import MISP objects about financial transactions from GoAML files.",
-    "logo": "goAML.jpg",
-    "requirements": [
-        "PyMISP"
-    ],
-    "features": "Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.",
-    "references": "http://goaml.unodc.org/",
-    "input": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).",
-    "output": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target."
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/joe_import.json b/documentation/website/import_mod/joe_import.json
deleted file mode 100644
index 234259f5..00000000
--- a/documentation/website/import_mod/joe_import.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "A module to import data from a Joe Sandbox analysis json report.",
-    "logo": "joesandbox.png",
-    "requirements": [],
-    "input": "Json report of a Joe Sandbox analysis.",
-    "output": "MISP attributes & objects parsed from the analysis report.",
-    "references": [
-        "https://www.joesecurity.org",
-        "https://www.joesandbox.com/"
-    ],
-    "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report."
-}
diff --git a/documentation/website/import_mod/lastline_import.json b/documentation/website/import_mod/lastline_import.json
deleted file mode 100644
index 17b899ad..00000000
--- a/documentation/website/import_mod/lastline_import.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "description": "Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nModule to import and parse reports from Lastline analysis links.",
-    "logo": "lastline.png",
-    "requirements": [],
-    "input": "Link to a Lastline analysis.",
-    "output": "MISP attributes and objects parsed from the analysis report.",
-    "references": [
-        "https://www.lastline.com"
-    ],
-    "features": "The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) expansion module."
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/mispjson.json b/documentation/website/import_mod/mispjson.json
deleted file mode 100644
index 7ba47bd7..00000000
--- a/documentation/website/import_mod/mispjson.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-    "description": "Module to import MISP JSON format for merging MISP events.",
-    "requirements": [],
-    "features": "The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.",
-    "references": [],
-    "input": "MISP Event",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/ocr.json b/documentation/website/import_mod/ocr.json
deleted file mode 100644
index a33c7e24..00000000
--- a/documentation/website/import_mod/ocr.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-    "description": "Optical Character Recognition (OCR) module for MISP.",
-    "requirements": [],
-    "features": "The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.",
-    "references": [],
-    "input": "Image",
-    "output": "freetext MISP attribute"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/openiocimport.json b/documentation/website/import_mod/openiocimport.json
deleted file mode 100644
index 3e00baf5..00000000
--- a/documentation/website/import_mod/openiocimport.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "description": "Module to import OpenIOC packages.",
-    "requirements": [
-        "PyMISP"
-    ],
-    "features": "The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.",
-    "references": [
-        "https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html"
-    ],
-    "input": "OpenIOC packages",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/threatanalyzer_import.json b/documentation/website/import_mod/threatanalyzer_import.json
deleted file mode 100644
index 5866e090..00000000
--- a/documentation/website/import_mod/threatanalyzer_import.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "description": "Module to import ThreatAnalyzer archive.zip / analysis.json files.",
-    "requirements": [],
-    "features": "The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.\nThere is by the way no special feature for users to make the module work.",
-    "references": [
-        "https://www.threattrack.com/malware-analysis.aspx"
-    ],
-    "input": "ThreatAnalyzer format file",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/documentation/website/import_mod/vmray_import.json b/documentation/website/import_mod/vmray_import.json
deleted file mode 100644
index c80b2375..00000000
--- a/documentation/website/import_mod/vmray_import.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-    "description": "Module to import VMRay (VTI) results.",
-    "logo": "vmray.png",
-    "requirements": [
-        "vmray_rest_api"
-    ],
-    "features": "The module imports MISP Attributes from VMRay format, using the VMRay api.\nUsers should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.",
-    "references": [
-        "https://www.vmray.com/"
-    ],
-    "input": "VMRay format",
-    "output": "MISP Event attributes"
-}
\ No newline at end of file
diff --git a/misp_modules/modules/action_mod/mattermost.py b/misp_modules/modules/action_mod/mattermost.py
index 241a2dc9..49c8ab9a 100644
--- a/misp_modules/modules/action_mod/mattermost.py
+++ b/misp_modules/modules/action_mod/mattermost.py
@@ -42,12 +42,23 @@ moduleconfig = {
 # For blocking modules the actual boolean value determines whether we break execution
 returns = 'boolean'
 
-moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
-              'description': 'Simplistic module to send message to a Mattermost channel.',
-              'module-type': ['action']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sami Mokaddem',
+    'description': 'Simplistic module to send message to a Mattermost channel.',
+    'module-type': ['action'],
+    'name': 'Mattermost',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': ''
+}
 
 f = Faup()
 
+
 def createPost(request):
     params = request['params']
     f.decode(params['mattermost_hostname'])
diff --git a/misp_modules/modules/action_mod/slack.py b/misp_modules/modules/action_mod/slack.py
index cdfff74c..f0bda6b0 100644
--- a/misp_modules/modules/action_mod/slack.py
+++ b/misp_modules/modules/action_mod/slack.py
@@ -36,9 +36,19 @@ moduleconfig = {
 # For blocking modules, the actual boolean value determines whether we break execution
 returns = 'boolean'
 
-moduleinfo = {'version': '0.1', 'author': 'goodlandsecurity',
-              'description': 'Simplistic module to send messages to a Slack channel.',
-              'module-type': ['action']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'goodlandsecurity',
+    'description': 'Simplistic module to send messages to a Slack channel.',
+    'module-type': ['action'],
+    'name': 'Slack',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': ''
+}
 
 
 def create_post(request):
diff --git a/misp_modules/modules/action_mod/testaction.py b/misp_modules/modules/action_mod/testaction.py
index d773c4ea..e85a9f17 100644
--- a/misp_modules/modules/action_mod/testaction.py
+++ b/misp_modules/modules/action_mod/testaction.py
@@ -1,5 +1,4 @@
 import json
-from ._utils import utils
 
 misperrors = {'error': 'Error'}
 
@@ -31,9 +30,19 @@ moduleconfig = {
 # For blocking modules the actual boolean value determines whether we break execution
 returns = 'boolean'
 
-moduleinfo = {'version': '0.1', 'author': 'Andras Iklody',
-              'description': 'This module is merely a test, always returning true. Triggers on event publishing.',
-              'module-type': ['action']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Andras Iklody',
+    'description': 'This module is merely a test, always returning true. Triggers on event publishing.',
+    'module-type': ['action'],
+    'name': 'Test action',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': ''
+}
 
 
 def handler(q=False):
diff --git a/misp_modules/modules/expansion/abuseipdb.py b/misp_modules/modules/expansion/abuseipdb.py
index afab5c96..ba09a4c1 100644
--- a/misp_modules/modules/expansion/abuseipdb.py
+++ b/misp_modules/modules/expansion/abuseipdb.py
@@ -6,9 +6,19 @@ import dns.resolver
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain', 'domain|ip'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Stephanie S',
-              'description': 'AbuseIPDB MISP expansion module',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Stephanie S',
+    'description': 'AbuseIPDB MISP expansion module',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Abuse IPDB',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 moduleconfig = ['api_key', 'max_age_in_days', 'abuse_threshold']
 
@@ -52,8 +62,8 @@ def handler(q=False):
 
     else:
         ip = request["attribute"]["value"]
-    
-    api_key = request["config"]["api_key"]   
+
+    api_key = request["config"]["api_key"]
     max_age_in_days = request["config"]["max_age_in_days"]
     api_endpoint = 'https://api.abuseipdb.com/api/v2/check'
     querystring = {
@@ -64,13 +74,13 @@ def handler(q=False):
         'Accept': 'application/json',
         'key': api_key
     }
-    r = {"results": []} 
+    r = {"results": []}
 
     response = requests.request(method='GET', url=api_endpoint, headers=headers, params=querystring)
 
     if (response.status_code == 200):
         response_json = json.loads(response.text)
-        is_whitelisted = response_json['data']['isWhitelisted'] 
+        is_whitelisted = response_json['data']['isWhitelisted']
         is_tor = response_json['data']['isTor']
         is_public = response_json['data']['isPublic']
         abuse_confidence_score = response_json['data']['abuseConfidenceScore']
@@ -112,7 +122,7 @@ def handler(q=False):
             obj.add_attribute('abuse-confidence-score', **{'type': 'counter', 'value': abuse_confidence_score})
             obj.add_reference(request['attribute']['uuid'], "describes")
             event.add_object(obj)
-            
+
             # Avoid serialization issue
             event = json.loads(event.to_json())
 
@@ -120,7 +130,7 @@ def handler(q=False):
         return r
 
     else:
-        try: 
+        try:
             response_json = json.loads(response.text)
             if (response_json['errors']):
                 return {"error": "API not reachable, status code: " + str(response.status_code) + " " + str(response_json['errors'][0]['detail'])}
diff --git a/misp_modules/modules/expansion/apiosintds.py b/misp_modules/modules/expansion/apiosintds.py
index 4dddf0d7..51448ba5 100644
--- a/misp_modules/modules/expansion/apiosintds.py
+++ b/misp_modules/modules/expansion/apiosintds.py
@@ -19,9 +19,19 @@ mispattributes = {'input': ["domain", "domain|ip", "hostname", "ip-dst", "ip-src
                   'output': ["domain", "ip-dst", "url", "comment", "md5", "sha1", "sha256", "link", "text"]
                   }
 
-moduleinfo = {'version': '0.2', 'author': 'Davide Baglieri aka davidonzo',
-              'description': 'On demand query API for OSINT.digitalside.it project.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Davide Baglieri aka davidonzo',
+    'description': 'On demand query API for OSINT.digitalside.it project.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'OSINT DigitalSide',
+    'logo': '',
+    'requirements': ['The apiosintDS python library to query the OSINT.digitalside.it API.'],
+    'features': 'The module simply queries the API of OSINT.digitalside.it with a domain, ip, url or hash attribute.\n\nThe result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.\n\nFurthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it',
+    'references': ['https://osint.digitalside.it/#About'],
+    'input': 'A domain, ip, url or hash attribute.',
+    'output': 'Hashes and urls resulting from the query to OSINT.digitalside.it',
+}
 
 moduleconfig = ['STIX2_details', 'import_related', 'cache', 'cache_directory', 'cache_timeout_h', 'local_directory']
 
@@ -62,7 +72,7 @@ def handler(q=False):
         tosubmit.append(request['filename|sha256'].split('|')[1])
     else:
         return False
-    
+
     persistent = 0
     if request.get('persistent'):
         persistent = request["persistent"]
@@ -77,19 +87,19 @@ def handler(q=False):
     r = {"results": []}
 
     if request.get('config'):
-    
+
         if request['config'].get('cache') and request['config']['cache'].lower() == "yes":
             submitcache = True
-        
+
         if request['config'].get('import_related') and request['config']['import_related'].lower() == "yes":
             import_related = True
-        
+
         if request['config'].get('STIX2_details') and request['config']['STIX2_details'].lower() == "yes":
             submit_stix = True
-        
+
         if request['config'].get('cache_timeout_h') and len(request['config']['cache_timeout_h']) > 0:
             submitcache_timeout = int(request['config'].get('cache_timeout_h'))
-        
+
         localdirectory = request['config'].get('local_directory')
         if localdirectory and len(localdirectory) > 0:
             if os.access(localdirectory, os.R_OK):
@@ -149,33 +159,33 @@ def apiosintParserHover(ispersistent, response, import_related, stix):
                         commentH = "IoC '"+item["item"] + "' found in OSINT.DigitaiSide.it repository."
                         CommentHDate = "List file: "+response[key]["list"]["file"]+". Date list: " + response[key]["list"]["date"]
                         ret.append({"types": ["text"], "values": [comment]})
-                        
+
                         retHover.append({"types": ["text"], "values": [commentH]})
                         retHover.append({"types": ["text"], "values": [CommentHDate]})
                         retHover.append({"types": ["text"], "values": [line]})
-                        
+
                         if key in ["url", "hash"]:
                             if "hashes" in item:
                                 headhash = "Hashes set"
                                 retHover.append({"types": ["text"], "values": [headhash]})
                                 if "md5" in item["hashes"].keys():
                                     ret.append({"types": ["md5"], "values": [item["hashes"]["md5"]], "comment": "Related to: " + item["item"]})
-                                    
+
                                     strmd5 = "MD5: "+item["hashes"]["md5"]
                                     retHover.append({"types": ["text"], "values": [strmd5]})
-                                    
+
                                 if "sha1" in item["hashes"].keys():
                                     ret.append({"types": ["sha1"], "values": [item["hashes"]["sha1"]], "comment": "Related to: " + item["item"]})
-                                    
+
                                     strsha1 = "SHA1: "+item["hashes"]["sha1"]
                                     retHover.append({"types": ["text"], "values": [strsha1]})
-                                    
+
                                 if "sha256" in item["hashes"].keys():
                                     ret.append({"types": ["sha256"], "values": [item["hashes"]["sha256"]], "comment": "Related to: " + item["item"]})
-                                    
+
                                     strsha256 = "SHA256: "+item["hashes"]["sha256"]
                                     retHover.append({"types": ["text"], "values": [strsha256]})
-                        
+
                         if "online_reports" in item:
                             headReports = "Online Reports (availability depends on retention)"
                             retHover.append({"types": ["text"], "values": [linedot]})
@@ -185,17 +195,17 @@ def apiosintParserHover(ispersistent, response, import_related, stix):
                             ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["MISP_CSV"]], "comment": "MISP CSV related to: " + item["item"]})
                             ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["OSINTDS_REPORT"]], "comment": "DigitalSide report related to: " + item["item"]})
                             ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["STIX"]], "comment": "STIX2 report related to: " + item["item"]})
-                            
+
                             MISPEVENT = "MISP Event => "+onlierepor["MISP_EVENT"]
                             MISPCSV = "MISP CSV => "+onlierepor["MISP_CSV"]
                             OSINTDS = "DigitalSide report => "+onlierepor["OSINTDS_REPORT"]
                             STIX = "STIX report => "+onlierepor["STIX"]
-                            
+
                             retHover.append({"types": ["text"], "values": [MISPEVENT]})
                             retHover.append({"types": ["text"], "values": [MISPCSV]})
                             retHover.append({"types": ["text"], "values": [OSINTDS]})
                             retHover.append({"types": ["text"], "values": [STIX]})
-                            
+
                             if stix and onlierepor:
                                 if "STIXDETAILS" in onlierepor:
                                     retHover.append({"types": ["text"], "values": [linedot]})
@@ -205,31 +215,31 @@ def apiosintParserHover(ispersistent, response, import_related, stix):
                                     ret.append({"types": ["comment"], "values": [stxdet], "comment": "STIX2 details for: " + item["item"]})
                                     retHover.append({"types": ["text"], "values": [headStix]})
                                     retHover.append({"types": ["text"], "values": [stxdet]})
-                                
-                                
+
+
                                     if stixobj["observed_time_frame"] != False:
                                         obstf = "Observation time frame: "+str(stixobj["observed_time_frame"])
                                         ret.append({"types": ["comment"], "values": [obstf], "comment": "STIX2 details for: " + item["item"]})
                                         retHover.append({"types": ["text"], "values": [obstf]})
-                                    
+
                                     filename = stixobj["filename"]
                                     ret.append({"category": "Payload delivery", "types": ["filename"], "values": [filename], "comment": "STIX2 details for: " + item["item"]})
-                                    
+
                                     Hovefilename = "Filename: "+filename
                                     retHover.append({"types": ["text"], "values": [Hovefilename]})
-                                    
+
                                     filesize = stixobj["filesize"]
                                     ret.append({"types": ["size-in-bytes"], "values": [filesize], "comment": "STIX2 details for: " + item["item"]})
-                                    
+
                                     Hovefilesize = "Filesize in bytes: "+str(filesize)
                                     retHover.append({"types": ["text"], "values": [Hovefilesize]})
-                                    
+
                                     filetype = stixobj["mime_type"]
                                     ret.append({"category": "Payload delivery", "types": ["mime-type"], "values": [filetype], "comment": "STIX2 details for: " + item["item"]})
-                                
+
                                     Hovemime = "Filetype: "+filetype
                                     retHover.append({"types": ["text"], "values": [Hovemime]})
-                                    
+
                                     if "virus_total" in stixobj:
                                         if stixobj["virus_total"] != False:
                                             VTratio = "VirusTotal Ratio: "+str(stixobj["virus_total"]["vt_detection_ratio"])
@@ -247,31 +257,31 @@ def apiosintParserHover(ispersistent, response, import_related, stix):
                                     if isinstance(urls, dict):
                                         itemToInclude = urls["url"]
                                         ret.append({"types": ["url"], "values": [itemToInclude], "comment": "Download URL for "+urls["hashes"]["md5"]+". Related to: " + item["item"]})
-                                        
+
                                         retHover.append({"types": ["text"], "values": [linedot]})
                                         relatedURL = "Related URL "+itemToInclude
                                         retHover.append({"types": ["text"], "values": [relatedURL]})
-                                        
+
                                         if "hashes" in urls.keys():
                                             if "md5" in urls["hashes"].keys():
                                                 ret.append({"types": ["md5"], "values": [urls["hashes"]["md5"]], "comment": "Related to: " + itemToInclude})
-                                                
+
                                                 strmd5 = "MD5: "+urls["hashes"]["md5"]
                                                 retHover.append({"types": ["text"], "values": [strmd5]})
-                                            
+
                                             if "sha1" in urls["hashes"].keys():
                                                 ret.append({"types": ["sha1"], "values": [urls["hashes"]["sha1"]], "comment": "Related to: " + itemToInclude})
-                                                
+
                                                 strsha1 = "SHA1: "+urls["hashes"]["sha1"]
                                                 retHover.append({"types": ["text"], "values": [strsha1]})
-                                                
+
                                             if "sha256" in urls["hashes"].keys():
                                                 ret.append({"types": ["sha256"], "values": [urls["hashes"]["sha256"]], "comment": "Related to: " + itemToInclude})
-                                                
+
                                                 strsha256 = "SHA256: "+urls["hashes"]["sha256"]
                                                 retHover.append({"types": ["text"], "values": [strsha256]})
 
-                                        
+
                                         headReports = "Online Reports (availability depends on retention)"
                                         retHover.append({"types": ["text"], "values": [linedotty]})
                                         retHover.append({"types": ["text"], "values": [headReports]})
@@ -300,42 +310,42 @@ def apiosintParserHover(ispersistent, response, import_related, stix):
                                                 ret.append({"types": ["comment"], "values": [stxdet], "comment": "STIX2 details for: " + item["item"]})
                                                 retHover.append({"types": ["text"], "values": [headStix]})
                                                 retHover.append({"types": ["text"], "values": [stxdet]})
-                                
+
                                                 if stixobj["observed_time_frame"] != False:
                                                     obstf = "Observation time frame: "+str(stixobj["observed_time_frame"])
                                                     ret.append({"types": ["comment"], "values": [obstf], "comment": "STIX2 details for: " + item["item"]})
                                                     retHover.append({"types": ["text"], "values": [obstf]})
-                                    
+
                                                 filename = stixobj["filename"]
                                                 ret.append({"category": "Payload delivery", "types": ["filename"], "values": [filename], "comment": "STIX2 details for: " + item["item"]})
-                                
+
                                                 Hovefilename = "Filename: "+filename
                                                 retHover.append({"types": ["text"], "values": [Hovefilename]})
-                                  
+
                                                 filesize = stixobj["filesize"]
                                                 ret.append({"types": ["size-in-bytes"], "values": [filesize], "comment": "STIX2 details for: " + item["item"]})
-                                    
+
                                                 Hovefilesize = "Filesize in bytes: "+str(filesize)
                                                 retHover.append({"types": ["text"], "values": [Hovefilesize]})
-                                    
+
                                                 filetype = stixobj["mime_type"]
                                                 ret.append({"category": "Payload delivery", "types": ["mime-type"], "values": [filetype], "comment": "STIX2 details for: " + item["item"]})
-                                
+
                                                 Hovemime = "Filetype: "+filetype
                                                 retHover.append({"types": ["text"], "values": [Hovemime]})
-                                
+
                                                 if "virus_total" in stixobj:
                                                     if stixobj["virus_total"] != False:
                                                         VTratio = "VirusTotal Ratio: "+stixobj["virus_total"]["vt_detection_ratio"]
                                                         ret.append({"types": ["comment"], "values": [VTratio], "comment": "STIX2 details for: " + item["item"]})
                                                         retHover.append({"types": ["text"], "values": [VTratio]})
-                                
+
                                                         VTReport = stixobj["virus_total"]["vt_report"]
                                                         ret.append({"category": "External analysis", "types": ["link"], "values": [VTReport], "comment": "VirusTotal Report for: " + item["item"]})
-                                    else: 
+                                    else:
                                         ret.append({"types": ["url"], "values": [urls], "comment": "Download URL for: " + item["item"]})
                                         urlHover = "URL => "+urls
-                                        retHover.append({"types": ["text"], "values": [urlHover]})                        
+                                        retHover.append({"types": ["text"], "values": [urlHover]})
                     else:
                         notfound = item["item"] + " IS NOT listed by OSINT.digitalside.it. Date list: " + response[key]["list"]["date"]
                         ret.append({"types": ["comment"], "values": [notfound]})
diff --git a/misp_modules/modules/expansion/apivoid.py b/misp_modules/modules/expansion/apivoid.py
index fc0d43ec..3410617b 100755
--- a/misp_modules/modules/expansion/apivoid.py
+++ b/misp_modules/modules/expansion/apivoid.py
@@ -5,9 +5,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['domain', 'hostname', 'email', 'email-src', 'email-dst', 'email-reply-to', 'dns-soa-email', 'target-email', 'whois-registrant-email'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.2', 'author': 'Christian Studer',
-              'description': 'On demand query API for APIVoid.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Christian Studer',
+    'description': 'Module to query APIVoid with some domain attributes.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'APIVoid',
+    'logo': 'apivoid.png',
+    'requirements': ['A valid APIVoid API key with enough credits to proceed 2 queries'],
+    'features': 'This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.\n\nTo make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.',
+    'references': ['https://www.apivoid.com/'],
+    'input': 'A domain attribute.',
+    'output': 'DNS records and SSL certificates related to the domain.',
+}
 moduleconfig = ['apikey']
 
 
diff --git a/misp_modules/modules/expansion/assemblyline_query.py b/misp_modules/modules/expansion/assemblyline_query.py
index 90bdd3c1..3c5867c3 100644
--- a/misp_modules/modules/expansion/assemblyline_query.py
+++ b/misp_modules/modules/expansion/assemblyline_query.py
@@ -8,9 +8,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['link'], 'format': 'misp_standard'}
 
-moduleinfo = {'version': '1', 'author': 'Christian Studer',
-              'description': 'Query AssemblyLine with a report URL to get the parsed data.',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Christian Studer',
+    'description': 'A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.',
+    'module-type': ['expansion'],
+    'name': 'AssemblyLine Query',
+    'logo': 'assemblyline.png',
+    'requirements': ['assemblyline_client: Python library to query the AssemblyLine rest API.'],
+    'features': 'The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.\n\nThe submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.\n\nSome more data may be parsed in the future.',
+    'references': ['https://www.cyber.gc.ca/en/assemblyline'],
+    'input': 'Link of an AssemblyLine submission report.',
+    'output': 'MISP attributes & objects parsed from the AssemblyLine submission.',
+}
 moduleconfig = ["apiurl", "user_id", "apikey", "password", "verifyssl"]
 
 
diff --git a/misp_modules/modules/expansion/assemblyline_submit.py b/misp_modules/modules/expansion/assemblyline_submit.py
index 9e019ffe..9d3681c5 100644
--- a/misp_modules/modules/expansion/assemblyline_submit.py
+++ b/misp_modules/modules/expansion/assemblyline_submit.py
@@ -5,8 +5,19 @@ from assemblyline_client import Client, ClientError
 from urllib.parse import urljoin
 
 
-moduleinfo = {"version": 1, "author": "Christian Studer", "module-type": ["expansion"],
-              "description": "Submit files or URLs to AssemblyLine"}
+moduleinfo = {
+    'version': 1,
+    'author': 'Christian Studer',
+    'module-type': ['expansion'],
+    'name': 'AssemblyLine Submit',
+    'description': 'A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.',
+    'logo': 'assemblyline.png',
+    'requirements': ['assemblyline_client: Python library to query the AssemblyLine rest API.'],
+    'features': 'The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission.',
+    'references': ['https://www.cyber.gc.ca/en/assemblyline'],
+    'input': 'Sample, or url to submit to AssemblyLine.',
+    'output': 'Link of the report generated in AssemblyLine.',
+}
 moduleconfig = ["apiurl", "user_id", "apikey", "password", "verifyssl"]
 mispattributes = {"input": ["attachment", "malware-sample", "url"],
                   "output": ["link"]}
diff --git a/misp_modules/modules/expansion/backscatter_io.py b/misp_modules/modules/expansion/backscatter_io.py
index 07969176..d226f503 100644
--- a/misp_modules/modules/expansion/backscatter_io.py
+++ b/misp_modules/modules/expansion/backscatter_io.py
@@ -8,9 +8,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['freetext']}
-moduleinfo = {'version': '1', 'author': 'brandon@backscatter.io',
-              'description': 'Backscatter.io module to bring mass-scanning observations into MISP.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'brandon@backscatter.io',
+    'description': 'Backscatter.io module to bring mass-scanning observations into MISP.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Backscatter.io',
+    'logo': 'backscatter_io.png',
+    'requirements': ['backscatter python library'],
+    'features': 'The module takes a source or destination IP address as input and displays the information known by backscatter.io.',
+    'references': ['https://pypi.org/project/backscatter/'],
+    'input': 'IP addresses.',
+    'output': 'Text containing a history of the IP addresses especially on scanning based on backscatter.io information .',
+}
 moduleconfig = ['api_key']
 query_playbook = [
     {'inputs': ['ip-src', 'ip-dst'],
diff --git a/misp_modules/modules/expansion/bgpranking.py b/misp_modules/modules/expansion/bgpranking.py
index c021d62e..53dd4c5d 100755
--- a/misp_modules/modules/expansion/bgpranking.py
+++ b/misp_modules/modules/expansion/bgpranking.py
@@ -8,9 +8,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['AS'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
-              'description': 'Query BGP Ranking to get the ranking of an Autonomous System number.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Raphaël Vinot',
+    'description': 'Query BGP Ranking to get the ranking of an Autonomous System number.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'BGP Ranking',
+    'logo': '',
+    'requirements': ['pybgpranking python library'],
+    'features': 'The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.',
+    'references': ['https://github.com/D4-project/BGP-Ranking/'],
+    'input': 'Autonomous system number.',
+    'output': 'An asn object with its related bgp-ranking object.',
+}
 
 
 def handler(q=False):
diff --git a/misp_modules/modules/expansion/btc_scam_check.py b/misp_modules/modules/expansion/btc_scam_check.py
index 44fa7326..8b577da4 100644
--- a/misp_modules/modules/expansion/btc_scam_check.py
+++ b/misp_modules/modules/expansion/btc_scam_check.py
@@ -12,9 +12,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['btc'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
-              'description': 'Checks if a BTC address has been abused.',
-              'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'description': 'An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.',
+    'module-type': ['hover'],
+    'name': 'BTC Scam Check',
+    'logo': 'bitcoin.png',
+    'requirements': ['dnspython3: dns python library'],
+    'features': 'The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.',
+    'references': ['https://btcblack.it/'],
+    'input': 'btc address attribute.',
+    'output': 'Text to indicate if the BTC address has been abused.',
+}
 moduleconfig = []
 
 url = 'bl.btcblack.it'
diff --git a/misp_modules/modules/expansion/btc_steroids.py b/misp_modules/modules/expansion/btc_steroids.py
index 04b71383..899c64b0 100755
--- a/misp_modules/modules/expansion/btc_steroids.py
+++ b/misp_modules/modules/expansion/btc_steroids.py
@@ -4,10 +4,19 @@ import time
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['btc'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': 'BTC expansion service to \
-                              get quick information from MISP attributes',
-              'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'An expansion hover module to get a blockchain balance from a BTC address in MISP.',
+    'module-type': ['hover'],
+    'name': 'BTC Steroids',
+    'logo': 'bitcoin.png',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': 'btc address attribute.',
+    'output': 'Text to describe the blockchain balance and the transactions related to the btc address in input.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/censys_enrich.py b/misp_modules/modules/expansion/censys_enrich.py
index f423712d..8531a606 100644
--- a/misp_modules/modules/expansion/censys_enrich.py
+++ b/misp_modules/modules/expansion/censys_enrich.py
@@ -28,8 +28,19 @@ misperrors = {'error': 'Error'}
 moduleconfig = ['api_id', 'api_secret']
 mispattributes = {'input': ['ip-src', 'ip-dst', 'domain', 'hostname', 'hostname|port', 'domain|ip', 'ip-dst|port', 'ip-src|port',
                   'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Loïc Fortemps',
-              'description': 'Censys.io expansion module', 'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Loïc Fortemps',
+    'description': 'An expansion module to enrich attributes in MISP by quering the censys.io API',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Censys Enrich',
+    'logo': '',
+    'requirements': ['API credentials to censys.io'],
+    'features': 'This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API.',
+    'references': ['https://www.censys.io'],
+    'input': 'IP, domain or certificate fingerprint (md5, sha1 or sha256)',
+    'output': 'MISP objects retrieved from censys, including open ports, ASN, Location of the IP, x509 details',
+}
 
 api_id = None
 api_secret = None
diff --git a/misp_modules/modules/expansion/circl_passivedns.py b/misp_modules/modules/expansion/circl_passivedns.py
index eca78c8b..c02d4b9d 100755
--- a/misp_modules/modules/expansion/circl_passivedns.py
+++ b/misp_modules/modules/expansion/circl_passivedns.py
@@ -3,9 +3,20 @@ from . import check_input_attribute, standard_error_message
 from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
-              'description': 'Module to access CIRCL Passive DNS',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'Module to access CIRCL Passive DNS.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'CIRCL Passive DNS',
+    'logo': 'passivedns.png',
+    'requirements': ['pypdns: Passive DNS python library', 'A CIRCL passive DNS account with username & password'],
+    'features': 'This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects.\n\nTo make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API.',
+    'references': ['https://www.circl.lu/services/passive-dns/', 'https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/'],
+    'input': 'Hostname, domain, or ip-address attribute.',
+    'output': '',
+    'ouput': 'Passive DNS objects related to the input attribute.',
+}
 moduleconfig = ['username', 'password']
 
 
diff --git a/misp_modules/modules/expansion/circl_passivessl.py b/misp_modules/modules/expansion/circl_passivessl.py
index 65783d76..e04adcf1 100755
--- a/misp_modules/modules/expansion/circl_passivessl.py
+++ b/misp_modules/modules/expansion/circl_passivessl.py
@@ -4,9 +4,19 @@ from . import check_input_attribute, standard_error_message
 from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 mispattributes = {'input': ['ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.2', 'author': 'Raphaël Vinot',
-              'description': 'Module to access CIRCL Passive SSL',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Raphaël Vinot',
+    'description': 'Modules to access CIRCL Passive SSL.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'CIRCL Passive SSL',
+    'logo': 'passivessl.png',
+    'requirements': ['pypssl: Passive SSL python library', 'A CIRCL passive SSL account with username & password'],
+    'features': 'This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects.\n\nTo make it work a username and a password are required to authenticate to the CIRCL Passive SSL API.',
+    'references': ['https://www.circl.lu/services/passive-ssl/'],
+    'input': 'IP address attribute.',
+    'output': 'x509 certificate objects seen by the IP address(es).',
+}
 moduleconfig = ['username', 'password']
 
 
diff --git a/misp_modules/modules/expansion/clamav.py b/misp_modules/modules/expansion/clamav.py
index bdff3b51..61d848df 100644
--- a/misp_modules/modules/expansion/clamav.py
+++ b/misp_modules/modules/expansion/clamav.py
@@ -19,10 +19,17 @@ sh.setFormatter(fmt)
 log.addHandler(sh)
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "Jakub Onderka",
-    "description": "Submit file to ClamAV",
-    "module-type": ["expansion"]
+    'version': '0.1',
+    'author': 'Jakub Onderka',
+    'description': 'Submit file to ClamAV',
+    'module-type': ['expansion'],
+    'name': 'ClaamAV',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
 }
 moduleconfig = ["connection"]
 mispattributes = {
diff --git a/misp_modules/modules/expansion/cluster25_expand.py b/misp_modules/modules/expansion/cluster25_expand.py
index 5da8c476..31eb6361 100755
--- a/misp_modules/modules/expansion/cluster25_expand.py
+++ b/misp_modules/modules/expansion/cluster25_expand.py
@@ -4,10 +4,19 @@ import uuid
 from . import check_input_attribute, standard_error_message
 from pymisp import MISPAttribute, MISPEvent, MISPObject
 
-moduleinfo = {'version': '0.1',
-              'author': 'Milo Volpicelli',
-              'description': 'Module to query Cluster25CTI',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Milo Volpicelli',
+    'description': 'Module to query Cluster25 CTI.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Cluster25 Expand',
+    'logo': 'cluster25.png',
+    'requirements': ['A Cluster25 API access (API id & key)'],
+    'features': 'This module takes a MISP attribute value as input to query the Cluster25CTI API. The result is then mapped into compatible MISP Objects and relative attributes.\n',
+    'references': [''],
+    'input': 'An Indicator value of type included in the following list:\n- domain\n- email-src\n- email-dst\n- filename\n- md5\n- sha1\n- sha256\n- ip-src\n- ip-dst\n- url\n- vulnerability\n- btc\n- xmr\n ja3-fingerprint-md5',
+    'output': 'A series of c25 MISP Objects with colletion of attributes mapped from Cluster25 CTI query result.',
+}
 moduleconfig = ['api_id', 'apikey', 'base_url']
 misperrors = {'error': 'Error'}
 misp_type_in = ['domain', 'email-src', 'email-dst', 'filename', 'md5', 'sha1', 'sha256', 'ip-src', 'ip-dst', 'url',
diff --git a/misp_modules/modules/expansion/countrycode.py b/misp_modules/modules/expansion/countrycode.py
index 1de56e0f..0bf74088 100755
--- a/misp_modules/modules/expansion/countrycode.py
+++ b/misp_modules/modules/expansion/countrycode.py
@@ -5,9 +5,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['hostname', 'domain']}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'Hannah Ward',
-              'description': 'Expand Country Codes',
-              'module-type': ['hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Hannah Ward',
+    'description': 'Module to expand country codes.',
+    'module-type': ['hover'],
+    'name': 'Country Code',
+    'logo': '',
+    'requirements': [],
+    'features': 'The module takes a domain or a hostname as input, and returns the country it belongs to.\n\nFor non country domains, a list of the most common possible extensions is used.',
+    'references': [],
+    'input': 'Hostname or domain attribute.',
+    'output': 'Text with the country code the input belongs to.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = []
diff --git a/misp_modules/modules/expansion/cpe.py b/misp_modules/modules/expansion/cpe.py
index 600ff37e..bd721fdc 100644
--- a/misp_modules/modules/expansion/cpe.py
+++ b/misp_modules/modules/expansion/cpe.py
@@ -8,8 +8,15 @@ mispattributes = {'input': ['cpe'], 'format': 'misp_standard'}
 moduleinfo = {
     'version': '2',
     'author': 'Christian Studer',
-    'description': 'An expansion module to enrich a CPE attribute with its related vulnerabilities.',
-    'module-type': ['expansion', 'hover']
+    'description': 'An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'CPE Lookup',
+    'logo': 'cve.png',
+    'requirements': [],
+    'features': 'The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.  \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.',
+    'references': ['https://vulnerability.circl.lu/api/'],
+    'input': 'CPE attribute.',
+    'output': 'The vulnerabilities related to the CPE.',
 }
 moduleconfig = ["custom_API_URL", "limit"]
 cveapi_url = 'https://cvepremium.circl.lu/api/query'
diff --git a/misp_modules/modules/expansion/crowdsec.py b/misp_modules/modules/expansion/crowdsec.py
index 5b250ce8..e0ea63f1 100644
--- a/misp_modules/modules/expansion/crowdsec.py
+++ b/misp_modules/modules/expansion/crowdsec.py
@@ -6,10 +6,17 @@ from pymisp import MISPEvent, MISPObject
 
 mispattributes = {"input": ["ip-dst", "ip-src"], "format": "misp_standard"}
 moduleinfo = {
-    "version": "2.0",
-    "author": "Shivam Sandbhor <shivam@crowdsec.net>",
-    "description": "Module to access CrowdSec CTI API.",
-    "module-type": ["hover", "expansion"],
+    'version': '2.0',
+    'author': 'Shivam Sandbhor <shivam@crowdsec.net>',
+    'description': "Hover module to lookup an IP in CrowdSec's CTI",
+    'module-type': ['hover', 'expansion'],
+    'name': 'CrowdSec CTI',
+    'logo': 'crowdsec.png',
+    'requirements': ['A CrowdSec CTI API key. Get yours by following https://docs.crowdsec.net/docs/cti_api/getting_started/#getting-an-api-key'],
+    'features': "This module enables IP lookup from CrowdSec CTI API. It provides information about the IP, such as what kind of attacks it has been participant of as seen by CrowdSec's network. It also includes enrichment by CrowdSec like background noise score, aggressivity over time etc.",
+    'references': ['https://www.crowdsec.net/', 'https://docs.crowdsec.net/docs/cti_api/getting_started', 'https://app.crowdsec.net/'],
+    'input': 'An IP address.',
+    'output': 'IP Lookup information from CrowdSec CTI API',
 }
 moduleconfig = ["api_key"]
 
diff --git a/misp_modules/modules/expansion/crowdstrike_falcon.py b/misp_modules/modules/expansion/crowdstrike_falcon.py
index c26d59fb..43467d3e 100755
--- a/misp_modules/modules/expansion/crowdstrike_falcon.py
+++ b/misp_modules/modules/expansion/crowdstrike_falcon.py
@@ -3,10 +3,19 @@ from . import check_input_attribute, standard_error_message
 from falconpy import Intel
 from pymisp import MISPAttribute, MISPEvent
 
-moduleinfo = {'version': '0.2',
-              'author': 'Christophe Vandeplas',
-              'description': 'Module to query CrowdStrike Falcon.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Christophe Vandeplas',
+    'description': 'Module to query CrowdStrike Falcon.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'CrowdStrike Falcon',
+    'logo': 'crowdstrike.png',
+    'requirements': ['A CrowdStrike API access (API id & key)'],
+    'features': 'This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported.',
+    'references': ['https://www.crowdstrike.com/products/crowdstrike-falcon-faq/'],
+    'input': 'A MISP attribute included in the following list:\n- domain\n- email-attachment\n- email-dst\n- email-reply-to\n- email-src\n- email-subject\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- mutex\n- regkey\n- sha1\n- sha256\n- uri\n- url\n- user-agent\n- whois-registrant-email\n- x509-fingerprint-md5',
+    'output': 'MISP attributes mapped after the CrowdStrike API has been queried, included in the following list:\n- hostname\n- email-src\n- email-subject\n- filename\n- md5\n- sha1\n- sha256\n- ip-dst\n- ip-dst\n- mutex\n- regkey\n- url\n- user-agent\n- x509-fingerprint-md5',
+}
 moduleconfig = ['api_id', 'apikey']
 misperrors = {'error': 'Error'}
 misp_type_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
diff --git a/misp_modules/modules/expansion/cuckoo_submit.py b/misp_modules/modules/expansion/cuckoo_submit.py
index c1ded90c..91269744 100644
--- a/misp_modules/modules/expansion/cuckoo_submit.py
+++ b/misp_modules/modules/expansion/cuckoo_submit.py
@@ -20,9 +20,17 @@ sh.setFormatter(fmt)
 log.addHandler(sh)
 
 moduleinfo = {
-    "version": "0.1", "author": "Evert Kors",
-    "description": "Submit files and URLs to Cuckoo Sandbox",
-    "module-type": ["expansion", "hover"]
+    'version': '0.1',
+    'author': 'Evert Kors',
+    'description': 'Submit files and URLs to Cuckoo Sandbox',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Cuckoo Submit',
+    'logo': 'cuckoo.png',
+    'requirements': ['Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)'],
+    'features': 'The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.\n The returned task id can be used to retrieve results when the analysis completed.',
+    'references': ['https://cuckoosandbox.org/', 'https://cuckoo.sh/docs/'],
+    'input': 'A malware-sample or attachment for files. A url or domain for URLs.',
+    'output': "A text field containing 'Cuckoo task id: <id>'",
 }
 misperrors = {"error": "Error"}
 moduleconfig = ["api_url", "api_key"]
diff --git a/misp_modules/modules/expansion/cve.py b/misp_modules/modules/expansion/cve.py
index 7cb4e7d1..e92466de 100755
--- a/misp_modules/modules/expansion/cve.py
+++ b/misp_modules/modules/expansion/cve.py
@@ -3,7 +3,19 @@ import requests
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['vulnerability'], 'output': ['text']}
-moduleinfo = {'version': '0.4', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion hover module to expand information about CVE id.', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.4',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'An expansion hover module to expand information about CVE id.',
+    'module-type': ['hover'],
+    'name': 'CVE Lookup',
+    'logo': 'cve.png',
+    'requirements': [],
+    'features': 'The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs.',
+    'references': ['https://vulnerability.circl.lu/', 'https://cve.mitre.org/'],
+    'input': 'Vulnerability attribute.',
+    'output': 'Text giving information about the CVE related to the Vulnerability.',
+}
 moduleconfig = ["custom_API"]
 cveapi_url = 'https://vulnerability.circl.lu/api/cve/'
 
diff --git a/misp_modules/modules/expansion/cve_advanced.py b/misp_modules/modules/expansion/cve_advanced.py
index 32f86d10..b1e4c841 100644
--- a/misp_modules/modules/expansion/cve_advanced.py
+++ b/misp_modules/modules/expansion/cve_advanced.py
@@ -6,9 +6,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
-moduleinfo = {'version': '2', 'author': 'Christian Studer',
-              'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '2',
+    'author': 'Christian Studer',
+    'description': 'An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).',
+    'module-type': ['expansion', 'hover'],
+    'name': 'CVE Advanced Lookup',
+    'logo': 'cve.png',
+    'requirements': [],
+    'features': 'The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects.',
+    'references': ['https://vulnerability.circl.lu', 'https://cve/mitre.org/'],
+    'input': 'Vulnerability attribute.',
+    'output': 'Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.',
+}
 moduleconfig = ["custom_API"]
 cveapi_url = 'https://cvepremium.circl.lu/api/'
 
diff --git a/misp_modules/modules/expansion/cytomic_orion.py b/misp_modules/modules/expansion/cytomic_orion.py
index c13b2540..41750bd9 100755
--- a/misp_modules/modules/expansion/cytomic_orion.py
+++ b/misp_modules/modules/expansion/cytomic_orion.py
@@ -15,9 +15,19 @@ import sys
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['md5'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.3', 'author': 'Koen Van Impe',
-              'description': 'an expansion module to enrich attributes in MISP and share indicators of compromise with Cytomic Orion',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.3',
+    'author': 'Koen Van Impe',
+    'description': 'An expansion module to enrich attributes in MISP by quering the Cytomic Orion API',
+    'module-type': ['expansion'],
+    'name': 'Cytomic Orion Lookup',
+    'logo': 'cytomic_orion.png',
+    'requirements': ['Access (license) to Cytomic Orion'],
+    'features': 'This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines.',
+    'references': ['https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/', 'https://www.cytomicmodel.com/solutions/'],
+    'input': 'MD5, hash of the sample / malware to search for.',
+    'output': 'MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines.',
+}
 moduleconfig = ['api_url', 'token_url', 'clientid', 'clientsecret', 'clientsecret', 'username', 'password', 'upload_timeframe', 'upload_tag', 'delete_tag', 'upload_ttlDays', 'upload_threat_level_id', 'limit_upload_events', 'limit_upload_attributes']
 # There are more config settings in this module than used by the enrichment
 # There is also a PyMISP module which reuses the module config, and requires additional configuration, for example used for pushing indicators to the API
diff --git a/misp_modules/modules/expansion/dbl_spamhaus.py b/misp_modules/modules/expansion/dbl_spamhaus.py
index 2bccd008..f27a3ff8 100644
--- a/misp_modules/modules/expansion/dbl_spamhaus.py
+++ b/misp_modules/modules/expansion/dbl_spamhaus.py
@@ -15,9 +15,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['domain', 'domain|ip', 'hostname', 'hostname|port'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
-              'description': 'Checks Spamhaus DBL for a domain name.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'description': 'Checks Spamhaus DBL for a domain name.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'DBL Spamhaus Lookup',
+    'logo': 'spamhaus.jpg',
+    'requirements': ['dnspython3: DNS python3 library'],
+    'features': 'This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is.\n\nDBL then returns a response code corresponding to a certain classification of the domain we display. If the queried domain is not in the list, it is also mentionned.\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well.',
+    'references': ['https://www.spamhaus.org/faq/section/Spamhaus%20DBL'],
+    'input': 'Domain or hostname attribute.',
+    'output': 'Information about the nature of the input.',
+}
 moduleconfig = []
 
 dbl = 'dbl.spamhaus.org'
diff --git a/misp_modules/modules/expansion/dns.py b/misp_modules/modules/expansion/dns.py
index 4ab238c0..657f7d98 100755
--- a/misp_modules/modules/expansion/dns.py
+++ b/misp_modules/modules/expansion/dns.py
@@ -4,9 +4,19 @@ import dns.resolver
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['hostname', 'domain', 'domain|ip'], 'output': ['ip-src',
                                                                            'ip-dst']}
-moduleinfo = {'version': '0.3', 'author': 'Alexandre Dulaunoy',
-              'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.3',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'jj',
+    'module-type': ['expansion', 'hover'],
+    'name': 'DNS Resolver',
+    'logo': '',
+    'requirements': ['dnspython3: DNS python3 library'],
+    'features': 'The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well.',
+    'references': [],
+    'input': 'Domain or hostname attribute.',
+    'output': 'IP address resolving the input.',
+}
 
 moduleconfig = ['nameserver']
 
diff --git a/misp_modules/modules/expansion/docx_enrich.py b/misp_modules/modules/expansion/docx_enrich.py
index d5da3f86..aaf269df 100644
--- a/misp_modules/modules/expansion/docx_enrich.py
+++ b/misp_modules/modules/expansion/docx_enrich.py
@@ -7,9 +7,19 @@ import io
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext', 'text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': '.docx to freetext-import IOC extractor',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to extract freetext from a .docx document.',
+    'module-type': ['expansion'],
+    'name': 'DOCX Enrich',
+    'logo': 'docx.png',
+    'requirements': ['docx python library'],
+    'features': 'The module reads the text contained in a .docx document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
+    'references': [],
+    'input': 'Attachment attribute containing a .docx document.',
+    'output': 'Text and freetext parsed from the document.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/domaintools.py b/misp_modules/modules/expansion/domaintools.py
index 353b4566..c70b7f7e 100755
--- a/misp_modules/modules/expansion/domaintools.py
+++ b/misp_modules/modules/expansion/domaintools.py
@@ -29,7 +29,14 @@ moduleinfo = {
     'version': '0.1',
     'author': 'Raphaël Vinot',
     'description': 'DomainTools MISP expansion module.',
-    'module-type': ['expansion', 'hover']
+    'module-type': ['expansion', 'hover'],
+    'name': 'DomainTools Lookup',
+    'logo': 'domaintools.png',
+    'requirements': ['Domaintools python library', 'A Domaintools API access (username & apikey)'],
+    'features': 'This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported.',
+    'references': ['https://www.domaintools.com/'],
+    'input': 'A MISP attribute included in the following list:\n- domain\n- hostname\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- whois-registrant-phone\n- ip-src\n- ip-dst',
+    'output': 'MISP attributes mapped after the Domaintools API has been queried, included in the following list:\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- text\n- domain',
 }
 
 moduleconfig = ['username', 'api_key']
diff --git a/misp_modules/modules/expansion/eql.py b/misp_modules/modules/expansion/eql.py
index 46cc05e3..e2b51bd7 100644
--- a/misp_modules/modules/expansion/eql.py
+++ b/misp_modules/modules/expansion/eql.py
@@ -7,10 +7,17 @@ import logging
 misperrors = {"error": "Error"}
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "92 COS DOM",
-    "description": "Generates EQL queries from events",
-    "module-type": ["expansion"]
+    'version': '0.1',
+    'author': '92 COS DOM',
+    'description': 'EQL query generation for a MISP attribute.',
+    'module-type': ['expansion'],
+    'name': 'EQL Query Generator',
+    'logo': 'eql.png',
+    'requirements': [],
+    'features': 'This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute.',
+    'references': ['https://eql.readthedocs.io/en/latest/'],
+    'input': 'A filename or ip attribute.',
+    'output': 'Attribute containing EQL for a network or file attribute.',
 }
 
 # Map of MISP fields => Endgame fields
diff --git a/misp_modules/modules/expansion/eupi.py b/misp_modules/modules/expansion/eupi.py
index e230bcf5..9b6f9481 100755
--- a/misp_modules/modules/expansion/eupi.py
+++ b/misp_modules/modules/expansion/eupi.py
@@ -5,9 +5,19 @@ from pyeupi import PyEUPI
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['hostname', 'domain', 'url'], 'output': ['freetext']}
-moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
-              'description': 'Query the Phishing Initiative service (https://phishing-initiative.lu)',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Raphaël Vinot',
+    'description': 'A module to query the Phishing Initiative service (https://phishing-initiative.lu).',
+    'module-type': ['expansion', 'hover'],
+    'name': 'EUPI Lookup',
+    'logo': 'eupi.png',
+    'requirements': ['pyeupi: eupi python library', 'An access to the Phishing Initiative API (apikey & url)'],
+    'features': 'This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried.\n\nPlease note that composite attributes containing domain or hostname are also supported.',
+    'references': ['https://phishing-initiative.eu/?lang=en'],
+    'input': 'A domain, hostname or url MISP attribute.',
+    'output': 'Text containing information about the input, resulting from the query on Phishing Initiative.',
+}
 
 moduleconfig = ['apikey', 'url']
 
diff --git a/misp_modules/modules/expansion/extract_url_components.py b/misp_modules/modules/expansion/extract_url_components.py
index 3806bf35..dd9c29fa 100644
--- a/misp_modules/modules/expansion/extract_url_components.py
+++ b/misp_modules/modules/expansion/extract_url_components.py
@@ -5,9 +5,19 @@ from pyfaup.faup import Faup
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['url'], 'format': 'misp_standard'}
-moduleinfo = {'version': '1', 'author': 'MISP Team',
-              'description': "Extract URL components",
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'MISP Team',
+    'description': 'Extract URL components',
+    'module-type': ['expansion', 'hover'],
+    'name': 'URL Components Extractor',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 moduleconfig = []
 
 
@@ -50,16 +60,16 @@ def handler(q=False):
     if not request.get('attribute') or not check_input_attribute(request['attribute']):
         return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
     attribute = request['attribute']
-    
-    if attribute['type'] not in mispattributes['input']:
-        return {'error': 'Bad attribute type'} 
 
-    url = attribute['value'] 
+    if attribute['type'] not in mispattributes['input']:
+        return {'error': 'Bad attribute type'}
+
+    url = attribute['value']
     urlObject = createObjectFromURL(url)
 
     event = createEvent(urlObject, attribute['uuid'], attribute)
     event = json.loads(event.to_json())
-    
+
     result = {'results': {'Object': event['Object']}}
     return result
 
diff --git a/misp_modules/modules/expansion/farsight_passivedns.py b/misp_modules/modules/expansion/farsight_passivedns.py
index 7cf6f660..835a7be9 100755
--- a/misp_modules/modules/expansion/farsight_passivedns.py
+++ b/misp_modules/modules/expansion/farsight_passivedns.py
@@ -36,8 +36,15 @@ mispattributes = {
 moduleinfo = {
     'version': '0.5',
     'author': 'Christophe Vandeplas',
-    'description': 'Module to access Farsight DNSDB Passive DNS',
-    'module-type': ['expansion', 'hover']
+    'description': 'Module to access Farsight DNSDB Passive DNS.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Farsight DNSDB Lookup',
+    'logo': 'farsight.png',
+    'requirements': ['An access to the Farsight Passive DNS API (apikey)'],
+    'features': 'This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API.\n  The results of rdata and rrset lookups are then returned and parsed into passive-dns objects.\n\nAn API key is required to submit queries to the API.\n  It is also possible to define a custom server URL, and to set a limit of results to get.\n  This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit).',
+    'references': ['https://www.farsightsecurity.com/', 'https://docs.dnsdb.info/dnsdb-api/'],
+    'input': 'A domain, hostname or IP address MISP attribute.',
+    'output': 'Passive-dns objects, resulting from the query on the Farsight Passive DNS API.',
 }
 moduleconfig = ['apikey', 'server', 'limit', 'flex_queries']
 
diff --git a/misp_modules/modules/expansion/geoip_asn.py b/misp_modules/modules/expansion/geoip_asn.py
index 95d7ee73..16908437 100644
--- a/misp_modules/modules/expansion/geoip_asn.py
+++ b/misp_modules/modules/expansion/geoip_asn.py
@@ -15,9 +15,20 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
 moduleconfig = ['local_geolite_db']
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '0.1', 'author': 'GlennHD',
-              'description': 'Query a local copy of the Maxmind Geolite ASN database (MMDB format)',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'GlennHD',
+    'description': 'Query a local copy of the Maxmind Geolite ASN database (MMDB format)',
+    'module-type': ['expansion', 'hover'],
+    'name': 'GeoIP ASN Lookup',
+    'logo': 'maxmind.png',
+    'requirements': ["A local copy of Maxmind's Geolite database"],
+    'features': "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number.",
+    'references': ['https://www.maxmind.com/en/home'],
+    'input': 'An IP address MISP attribute.',
+    'output': 'Text containing information about the AS number of the IP address.',
+    'descrption': "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.",
+}
 
 
 def handler(q=False):
diff --git a/misp_modules/modules/expansion/geoip_city.py b/misp_modules/modules/expansion/geoip_city.py
index 01c0627f..643f0858 100644
--- a/misp_modules/modules/expansion/geoip_city.py
+++ b/misp_modules/modules/expansion/geoip_city.py
@@ -15,9 +15,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
 moduleconfig = ['local_geolite_db']
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '0.1', 'author': 'GlennHD',
-              'description': 'Query a local copy of the Maxmind Geolite City database (MMDB format)',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'GlennHD',
+    'description': "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.",
+    'module-type': ['expansion', 'hover'],
+    'name': 'GeoIP City Lookup',
+    'logo': 'maxmind.png',
+    'requirements': ["A local copy of Maxmind's Geolite database"],
+    'features': "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located.",
+    'references': ['https://www.maxmind.com/en/home'],
+    'input': 'An IP address MISP attribute.',
+    'output': 'Text containing information about the city where the IP address is located.',
+}
 
 
 def handler(q=False):
diff --git a/misp_modules/modules/expansion/geoip_country.py b/misp_modules/modules/expansion/geoip_country.py
index d28e570e..1b3336da 100644
--- a/misp_modules/modules/expansion/geoip_country.py
+++ b/misp_modules/modules/expansion/geoip_country.py
@@ -15,9 +15,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['freetext']}
 moduleconfig = ['local_geolite_db']
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '0.2', 'author': 'Andreas Muehlemann',
-              'description': 'Query a local copy of Maxminds Geolite database, updated for MMDB format',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Andreas Muehlemann',
+    'description': 'Query a local copy of Maxminds Geolite database, updated for MMDB format',
+    'module-type': ['expansion', 'hover'],
+    'name': 'GeoIP Country Lookup',
+    'logo': 'maxmind.png',
+    'requirements': ["A local copy of Maxmind's Geolite database"],
+    'features': "This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address.\n\nPlease note that composite attributes domain|ip are also supported.",
+    'references': ['https://www.maxmind.com/en/home'],
+    'input': 'An IP address MISP Attribute.',
+    'output': 'Text containing information about the location of the IP address.',
+}
 
 
 def handler(q=False):
diff --git a/misp_modules/modules/expansion/google_safe_browsing.py b/misp_modules/modules/expansion/google_safe_browsing.py
index 4920e946..84aca8c4 100644
--- a/misp_modules/modules/expansion/google_safe_browsing.py
+++ b/misp_modules/modules/expansion/google_safe_browsing.py
@@ -6,9 +6,19 @@ from pysafebrowsing import SafeBrowsing
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['url'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Stephanie S',
-              'description': 'Google safe browsing expansion module',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Stephanie S',
+    'description': 'Google safe browsing expansion module',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Google Safe Browsing Lookup',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 moduleconfig = ['api_key']
 
@@ -24,7 +34,7 @@ def handler(q=False):
     if request['attribute']['type'] not in mispattributes['input']:
         return {'error': 'Unsupported attribute type.'}
 
-    api_key = request["config"]["api_key"] 
+    api_key = request["config"]["api_key"]
     url = request["attribute"]["value"]
 
     s = SafeBrowsing(api_key)
@@ -38,7 +48,7 @@ def handler(q=False):
         if (response[url]['malicious'] != False):
             # gsb threat types: THREAT_TYPE_UNSPECIFIED, MALWARE, SOCIAL_ENGINEERING, UNWANTED_SOFTWARE, POTENTIALLY_HARMFUL_APPLICATION
             gsb_circl_threat_taxonomy = {"MALWARE": 'malware', "SOCIAL_ENGINEERING": 'social-engineering'}
-            
+
             threats = response[url]['threats']
             malicious = response[url]['malicious']
             platforms = response[url]['platforms']
@@ -52,18 +62,18 @@ def handler(q=False):
                     threat_attribute.add_tag(f'circl:incident="{gsb_circl_threat_taxonomy.get(threat)}"')
                 else:
                     threat_attribute.add_tag(f'threat-type:{str(threat).lower()}')
-            obj.add_attribute('platforms', **{'type': 'text', 'value': str(" ".join(platforms))}) 
-   
+            obj.add_attribute('platforms', **{'type': 'text', 'value': str(" ".join(platforms))})
+
         else:
             malicious_attribute = obj.add_attribute('malicious', **{'type': 'boolean', 'value': 0}) # 0 == False
             malicious_attribute.add_tag(f'ioc:artifact-state="not-malicious"')
 
         obj.add_reference(request['attribute']['uuid'], "describes")
         event.add_object(obj)
-        
+
         # Avoid serialization issue
         event = json.loads(event.to_json())
-        return {"results": {'Object': event['Object'], 'Attribute': event['Attribute']}} 
+        return {"results": {'Object': event['Object'], 'Attribute': event['Attribute']}}
 
     except Exception as error:
         return {"error": "An error occurred: " + str(error)}
diff --git a/misp_modules/modules/expansion/google_search.py b/misp_modules/modules/expansion/google_search.py
index 68224abf..fd9febe7 100644
--- a/misp_modules/modules/expansion/google_search.py
+++ b/misp_modules/modules/expansion/google_search.py
@@ -8,8 +8,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['url'], 'output': ['text']}
-moduleinfo = {'author': 'Oun & Gindt', 'module-type': ['hover'],
-              'description': 'An expansion hover module to expand google search information about an URL'}
+moduleinfo = {
+    'author': 'Oun & Gindt',
+    'module-type': ['hover'],
+    'name': 'Google Search',
+    'description': 'An expansion hover module to expand google search information about an URL',
+    'version': '1.0',
+    'logo': 'google.png',
+    'requirements': ['The python Google Search API library'],
+    'features': 'The module takes an url as input to query the Google search API. The result of the query is then return as raw text.',
+    'references': ['https://github.com/abenassi/Google-Search-API'],
+    'input': 'An url attribute.',
+    'output': 'Text containing the result of a Google search on the input url.',
+}
 
 
 def sleep(retry):
diff --git a/misp_modules/modules/expansion/google_threat_intelligence.py b/misp_modules/modules/expansion/google_threat_intelligence.py
index cde28050..0db25a41 100644
--- a/misp_modules/modules/expansion/google_threat_intelligence.py
+++ b/misp_modules/modules/expansion/google_threat_intelligence.py
@@ -19,7 +19,7 @@ import vt
 import pymisp
 
 
-MISP_ATTRIBUTES = {
+mispattributes = {
     'input': [
         'hostname',
         'domain',
@@ -33,20 +33,19 @@ MISP_ATTRIBUTES = {
     'format': 'misp_standard',
 }
 
-MODULE_INFO = {
+moduleinfo = {
     'version': '2',
     'author': 'Google Threat Intelligence team',
-    'description': ('An expansion module to have the observable\'s threat'
-                    ' score assessed by Google Threat Intelligence.'),
+    'description': "An expansion module to have the observable's threat score assessed by Google Threat Intelligence.",
     'module-type': ['expansion'],
-    'config': [
-        'apikey',
-        'event_limit',
-        'proxy_host',
-        'proxy_port',
-        'proxy_username',
-        'proxy_password'
-    ]
+    'name': 'Google Threat Intelligence Lookup',
+    'config': ['apikey', 'event_limit', 'proxy_host', 'proxy_port', 'proxy_username', 'proxy_password'],
+    'logo': 'google_threat_intelligence.png',
+    'requirements': ['An access to the Google Threat Intelligence API (apikey), with a high request rate limit.'],
+    'features': 'GTI assessment for the given observable, this include information about level of severity, a clear verdict (malicious, suspicious, undetected and benign) and additional information provided by the Mandiant expertise combined with the VirusTotal database.\n\n[Output example screeshot](https://github.com/MISP/MISP/assets/4747608/e275db2f-bb1e-4413-8cc0-ec3cb05e0414)',
+    'references': ['https://www.virustotal.com/', 'https://gtidocs.virustotal.com/reference'],
+    'input': 'A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.',
+    'output': 'Text fields containing the threat score, the severity, the verdict and the threat label of the observable inspected.',
 }
 
 DEFAULT_RESULTS_LIMIT = 10
@@ -392,12 +391,12 @@ def dict_handler(request: dict):
 
 def introspection():
     """Returns the module input attributes required."""
-    return MISP_ATTRIBUTES
+    return mispattributes
 
 
 def version():
     """Returns the module metadata."""
-    return MODULE_INFO
+    return moduleinfo
 
 
 if __name__ == '__main__':
diff --git a/misp_modules/modules/expansion/greynoise.py b/misp_modules/modules/expansion/greynoise.py
index fbeb88ba..101da078 100644
--- a/misp_modules/modules/expansion/greynoise.py
+++ b/misp_modules/modules/expansion/greynoise.py
@@ -17,10 +17,17 @@ logger.setLevel(logging.INFO)
 misperrors = {"error": "Error"}
 mispattributes = {"input": ["ip-src", "ip-dst", "vulnerability"], "format": "misp_standard"}
 moduleinfo = {
-    "version": "1.2",
-    "author": "Brad Chiappetta <brad@greynoise.io>",
-    "description": "Used to query IP and CVE intel from GreyNoise",
-    "module-type": ["expansion", "hover"],
+    'version': '1.2',
+    'author': 'Brad Chiappetta <brad@greynoise.io>',
+    'description': 'Module to query IP and CVE information from GreyNoise',
+    'module-type': ['expansion', 'hover'],
+    'name': 'GreyNoise Lookup',
+    'logo': 'greynoise.png',
+    'requirements': ['A Greynoise API key. Both Enterprise (Paid) and Community (Free) API keys are supported, however Community API users will only be able to perform IP lookups.'],
+    'features': 'This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days.',
+    'references': ['https://greynoise.io/', 'https://docs.greyniose.io/', 'https://www.greynoise.io/viz/account/'],
+    'input': 'An IP address or CVE ID',
+    'output': 'IP Lookup information or CVE scanning profile for past 7 days',
 }
 moduleconfig = ["api_key", "api_type"]
 
diff --git a/misp_modules/modules/expansion/hashdd.py b/misp_modules/modules/expansion/hashdd.py
index 17e1029d..310cfb70 100755
--- a/misp_modules/modules/expansion/hashdd.py
+++ b/misp_modules/modules/expansion/hashdd.py
@@ -3,7 +3,19 @@ import requests
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['md5'], 'output': ['text']}
-moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion module to check hashes against hashdd.com including NSLR dataset.', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'A hover module to check hashes against hashdd.com including NSLR dataset.',
+    'module-type': ['hover'],
+    'name': 'Hashdd Lookup',
+    'logo': '',
+    'requirements': [],
+    'features': 'This module takes a hash attribute as input to check its known level, using the hashdd API. This information is then displayed.',
+    'references': ['https://hashdd.com/'],
+    'input': 'A hash MISP attribute (md5).',
+    'output': 'Text describing the known level of the hash in the hashdd databases.',
+}
 moduleconfig = []
 hashddapi_url = 'https://api.hashdd.com/v1/knownlevel/nsrl/'
 
diff --git a/misp_modules/modules/expansion/hashlookup.py b/misp_modules/modules/expansion/hashlookup.py
index eeca95f2..1752ced9 100644
--- a/misp_modules/modules/expansion/hashlookup.py
+++ b/misp_modules/modules/expansion/hashlookup.py
@@ -6,9 +6,19 @@ from pymisp import MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['md5', 'sha1', 'sha256'], 'format': 'misp_standard'}
-moduleinfo = {'version': '2', 'author': 'Alexandre Dulaunoy',
-              'description': 'An expansion module to enrich a file hash with hashlookup.circl.lu services (NSRL and other sources)',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '2',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'CIRCL Hashlookup Lookup',
+    'logo': 'circl.png',
+    'requirements': [],
+    'features': 'The module takes file hashes as input such as a MD5 or SHA1.\n It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.\n The module can be used an hover module but also an expansion model to add related MISP objects.\n',
+    'references': ['https://www.circl.lu/services/hashlookup/'],
+    'input': 'File hashes (MD5, SHA1)',
+    'output': 'Object with the filename associated hashes if the hash is part of a known set.',
+}
 moduleconfig = ["custom_API"]
 hashlookup_url = 'https://hashlookup.circl.lu/'
 
diff --git a/misp_modules/modules/expansion/hibp.py b/misp_modules/modules/expansion/hibp.py
index b2d1c166..60a12347 100644
--- a/misp_modules/modules/expansion/hibp.py
+++ b/misp_modules/modules/expansion/hibp.py
@@ -4,7 +4,19 @@ import json
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['email-dst', 'email-src'], 'output': ['text']}
-moduleinfo = {'version': '0.2', 'author': 'Corsin Camichel, Aurélien Schwab', 'description': 'Module to access haveibeenpwned.com API (v3).', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Corsin Camichel, Aurélien Schwab',
+    'description': 'Module to access haveibeenpwned.com API.',
+    'module-type': ['hover'],
+    'name': 'Have I Been Pwned Lookup',
+    'logo': 'hibp.png',
+    'requirements': [],
+    'features': 'The module takes an email address as input and queries haveibeenpwned.com API to find additional information about it. This additional information actually tells if any account using the email address has already been compromised in a data breach.',
+    'references': ['https://haveibeenpwned.com/'],
+    'input': 'An email address',
+    'output': 'Additional information about the email address.',
+}
 moduleconfig = ['api_key']
 
 haveibeenpwned_api_url = 'https://haveibeenpwned.com/api/v3/breachedaccount/'
diff --git a/misp_modules/modules/expansion/html_to_markdown.py b/misp_modules/modules/expansion/html_to_markdown.py
index 228b4bcb..629f5935 100755
--- a/misp_modules/modules/expansion/html_to_markdown.py
+++ b/misp_modules/modules/expansion/html_to_markdown.py
@@ -5,9 +5,19 @@ from bs4 import BeautifulSoup
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['url'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
-              'description': 'Simple HTML fetcher',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sami Mokaddem',
+    'description': 'Expansion module to fetch the html content from an url and convert it into markdown.',
+    'module-type': ['expansion'],
+    'name': 'HTML to Markdown',
+    'logo': '',
+    'requirements': ['The markdownify python library'],
+    'features': 'The module take an URL as input and the HTML content is fetched from it. This content is then converted into markdown that is returned as text.',
+    'references': [],
+    'input': 'URL attribute.',
+    'output': 'Markdown content converted from the HTML fetched from the url.',
+}
 
 
 def fetchHTML(url):
diff --git a/misp_modules/modules/expansion/hyasinsight.py b/misp_modules/modules/expansion/hyasinsight.py
index c8497091..9d1a6970 100644
--- a/misp_modules/modules/expansion/hyasinsight.py
+++ b/misp_modules/modules/expansion/hyasinsight.py
@@ -1,874 +1,881 @@
-import json
-import logging
-from typing import Dict, List, Any
-
-import requests
-import re
-from requests.exceptions import (
-    HTTPError,
-    ProxyError,
-    InvalidURL,
-    ConnectTimeout
-)
-from . import check_input_attribute, standard_error_message
-from pymisp import MISPEvent, MISPObject, Distribution
-
-ip_query_input_type = [
-    'ip-src',
-    'ip-dst'
-]
-domain_query_input_type = [
-    'hostname',
-    'domain'
-]
-email_query_input_type = [
-    'email',
-    'email-src',
-    'email-dst',
-    'target-email',
-    'whois-registrant-email'
-]
-phone_query_input_type = [
-    'phone-number',
-    'whois-registrant-phone'
-]
-
-md5_query_input_type = [
-    'md5',
-    'x509-fingerprint-md5',
-    'ja3-fingerprint-md5',
-    'hassh-md5',
-    'hasshserver-md5'
-]
-
-sha1_query_input_type = [
-    'sha1',
-    'x509-fingerprint-sha1'
-]
-
-sha256_query_input_type = [
-    'sha256',
-    'x509-fingerprint-sha256'
-]
-
-sha512_query_input_type = [
-    'sha512'
-]
-
-misperrors = {
-    'error': 'Error'
-}
-mispattributes = {
-    'input': ip_query_input_type + domain_query_input_type + email_query_input_type + phone_query_input_type
-             + md5_query_input_type + sha1_query_input_type + sha256_query_input_type + sha512_query_input_type,
-    'format': 'misp_standard'
-}
-
-moduleinfo = {
-    'version': '0.1',
-    'author': 'Mike Champ',
-    'description': '',
-    'module-type': ['expansion', 'hover']
-}
-moduleconfig = ['apikey']
-TIMEOUT = 60
-logger = logging.getLogger('hyasinsight')
-logger.setLevel(logging.DEBUG)
-HYAS_API_BASE_URL = 'https://insight.hyas.com/api/ext/'
-WHOIS_CURRENT_BASE_URL = 'https://api.hyas.com/'
-DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value
-IPV4_REGEX = r'\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b([^\/]|$)'
-IPV6_REGEX = r'\b(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:(?:(:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b'  # noqa: E501
-# Enrichment Types
-# HYAS API endpoints
-PASSIVE_DNS_ENDPOINT = 'passivedns'
-DYNAMIC_DNS_ENDPOINT = 'dynamicdns'
-PASSIVE_HASH_ENDPOINT = 'passivehash'
-SINKHOLE_ENDPOINT = 'sinkhole'
-SSL_CERTIFICATE_ENDPOINT = 'ssl_certificate'
-DEVICE_GEO_ENDPOINT = 'device_geo'
-WHOIS_HISTORIC_ENDPOINT = 'whois'
-WHOIS_CURRENT_ENDPOINT = 'whois/v1'
-MALWARE_RECORDS_ENDPOINT = 'sample'
-MALWARE_INFORMATION_ENDPOINT = 'sample/information'
-C2ATTRIBUTION_ENDPOINT = 'c2attribution'
-OPEN_SOURCE_INDICATORS_ENDPOINT = 'os_indicators'
-
-# HYAS API endpoint params
-DOMAIN_PARAM = 'domain'
-IP_PARAM = 'ip'
-IPV4_PARAM = 'ipv4'
-IPV6_PARAM = 'ipv6'
-EMAIL_PARAM = 'email'
-PHONE_PARAM = 'phone'
-MD5_PARAM = 'md5'
-SHA256_PARAM = 'sha256'
-SHA512_PARAM = 'sha512'
-HASH_PARAM = 'hash'
-SHA1_PARAM = 'sha1'
-
-HYAS_IP_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, PASSIVE_DNS_ENDPOINT, PASSIVE_HASH_ENDPOINT,
-                                     SINKHOLE_ENDPOINT,
-                                     SSL_CERTIFICATE_ENDPOINT, DEVICE_GEO_ENDPOINT, C2ATTRIBUTION_ENDPOINT,
-                                     MALWARE_RECORDS_ENDPOINT, OPEN_SOURCE_INDICATORS_ENDPOINT]
-HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST = [PASSIVE_DNS_ENDPOINT, DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT,
-                                         MALWARE_RECORDS_ENDPOINT, WHOIS_CURRENT_ENDPOINT, PASSIVE_HASH_ENDPOINT,
-                                         C2ATTRIBUTION_ENDPOINT, SSL_CERTIFICATE_ENDPOINT,
-                                         OPEN_SOURCE_INDICATORS_ENDPOINT]
-HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, C2ATTRIBUTION_ENDPOINT]
-HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST = [WHOIS_HISTORIC_ENDPOINT]
-HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST = [SSL_CERTIFICATE_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
-                                       OPEN_SOURCE_INDICATORS_ENDPOINT]
-HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST = [C2ATTRIBUTION_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
-                                         OPEN_SOURCE_INDICATORS_ENDPOINT]
-HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_INFORMATION_ENDPOINT]
-HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_RECORDS_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
-                                      OPEN_SOURCE_INDICATORS_ENDPOINT]
-
-HYAS_OBJECT_NAMES = {
-    DYNAMIC_DNS_ENDPOINT: "Dynamic DNS Information",
-    PASSIVE_HASH_ENDPOINT: "Passive Hash Information",
-    SINKHOLE_ENDPOINT: "Sinkhole Information",
-    SSL_CERTIFICATE_ENDPOINT: "SSL Certificate Information",
-    DEVICE_GEO_ENDPOINT: "Mobile Geolocation Information",
-    C2ATTRIBUTION_ENDPOINT: "C2 Attribution Information",
-    PASSIVE_DNS_ENDPOINT: "Passive DNS Information",
-    WHOIS_HISTORIC_ENDPOINT: "Whois Related Information",
-    WHOIS_CURRENT_ENDPOINT: "Whois Current Related Information",
-    MALWARE_INFORMATION_ENDPOINT: "Malware Sample Information",
-    OPEN_SOURCE_INDICATORS_ENDPOINT: "Open Source Intel for malware, ssl certificates and other indicators Information",
-    MALWARE_RECORDS_ENDPOINT: "Malware Sample Records Information"
-}
-
-
-def parse_attribute(comment, feature, value):
-    """Generic Method for parsing the attributes in the object"""
-    attribute = {
-        'type': 'text',
-        'value': value,
-        'comment': comment,
-        'distribution': DEFAULT_DISTRIBUTION_SETTING,
-        'object_relation': feature
-    }
-    return attribute
-
-
-def misp_object(endpoint, attribute_value):
-    object_name = HYAS_OBJECT_NAMES[endpoint]
-    hyas_object = MISPObject(object_name)
-    hyas_object.distribution = DEFAULT_DISTRIBUTION_SETTING
-    hyas_object.template_uuid = "d69d3d15-7b4d-49b1-9e0a-bb29f3d421d9"
-    hyas_object.template_id = "1"
-    hyas_object.description = "HYAS INSIGHT " + object_name
-    hyas_object.comment = "HYAS INSIGHT " + object_name + " for " + attribute_value
-    setattr(hyas_object, 'meta-category', 'network')
-    description = (
-        "An object containing the enriched attribute and "
-        "related entities from HYAS Insight."
-    )
-    hyas_object.from_dict(
-        **{"meta-category": "misc", "description": description,
-           "distribution": DEFAULT_DISTRIBUTION_SETTING}
-    )
-    return hyas_object
-
-
-def flatten_json(y: Dict) -> Dict[str, Any]:
-    """
-    :param y: raw_response from HYAS api
-    :return: Flatten json response
-    """
-    out = {}
-
-    def flatten(x, name=''):
-        # If the Nested key-value
-        # pair is of dict type
-        if type(x) is dict:
-            for a in x:
-                flatten(x[a], name + a + '_')
-        else:
-            out[name[:-1]] = x
-
-    flatten(y)
-    return out
-
-
-def get_flatten_json_response(raw_api_response: List[Dict]) -> List[Dict]:
-    """
-    :param raw_api_response: raw_api response from the API
-    :return: Flatten Json response
-    """
-    flatten_json_response = []
-    if raw_api_response:
-        for obj in raw_api_response:
-            flatten_json_response.append(flatten_json(obj))
-
-    return flatten_json_response
-
-
-def request_body(query_input, query_param, current):
-    """
-    This Method returns the request body for specific endpoint.
-    """
-
-    if current:
-        return {
-            "applied_filters": {
-                query_input: query_param,
-                "current": True
-            }
-        }
-    else:
-        return {
-            "applied_filters": {
-                query_input: query_param
-            }
-        }
-
-
-def malware_info_lookup_to_markdown(results: Dict) -> list:
-    scan_results = results.get('scan_results', [])
-    out = []
-    if scan_results:
-        for res in scan_results:
-            malware_info_data = {
-                "avscan_score": results.get(
-                    "avscan_score", ''),
-                "md5": results.get("md5", ''),
-                'av_name': res.get(
-                    "av_name", ''),
-                'def_time': res.get(
-                    "def_time", ''),
-                'threat_found': res.get(
-                    'threat_found', ''),
-                'scan_time': results.get("scan_time", ''),
-                'sha1': results.get('sha1', ''),
-                'sha256': results.get('sha256', ''),
-                'sha512': results.get('sha512', '')
-            }
-            out.append(malware_info_data)
-    else:
-        malware_info_data = {
-            "avscan_score": results.get("avscan_score", ''),
-            "md5": results.get("md5", ''),
-            'av_name': '',
-            'def_time': '',
-            'threat_found': '',
-            'scan_time': results.get("scan_time", ''),
-            'sha1': results.get('sha1', ''),
-            'sha256': results.get('sha256', ''),
-            'sha512': results.get('sha512', '')
-        }
-        out.append(malware_info_data)
-    return out
-
-
-class RequestHandler:
-    """A class for handling any outbound requests from this module."""
-
-    def __init__(self, apikey):
-        self.session = requests.Session()
-        self.api_key = apikey
-
-    def get(self, url: str, headers: dict = None, req_body=None) -> requests.Response:
-        """General post method to fetch the response from HYAS Insight."""
-        response = []
-        try:
-            response = self.session.post(
-                url, headers=headers, json=req_body
-            )
-            if response:
-                response = response.json()
-        except (ConnectTimeout, ProxyError, InvalidURL) as error:
-            msg = "Error connecting with the HYAS Insight."
-            logger.error(f"{msg} Error: {error}")
-            misperrors["error"] = msg
-        return response
-
-    def hyas_lookup(self, end_point: str, query_input, query_param, current=False) -> requests.Response:
-        """Do a lookup call."""
-        # Building the request
-        if current:
-            url = f'{WHOIS_CURRENT_BASE_URL}{WHOIS_CURRENT_ENDPOINT}'
-        else:
-            url = f'{HYAS_API_BASE_URL}{end_point}'
-        headers = {
-            'Content-type': 'application/json',
-            'X-API-Key': self.api_key,
-            'User-Agent': 'Misp Modules'
-        }
-        req_body = request_body(query_input, query_param, current)
-        try:
-            response = self.get(url, headers, req_body)
-        except HTTPError as error:
-            msg = f"Error when requesting data from HYAS Insight. {error.response}: {error.response.reason}"
-            logger.error(msg)
-            misperrors["error"] = msg
-            raise
-        return response
-
-
-class HyasInsightParser:
-    """A class for handling the enrichment objects"""
-
-    def __init__(self, attribute):
-        self.attribute = attribute
-        self.misp_event = MISPEvent()
-        self.misp_event.add_attribute(**attribute)
-
-        self.c2_attribution_data_items = [
-            'actor_ipv4',
-            'c2_domain',
-            'c2_ip',
-            'c2_url',
-            'datetime',
-            'email',
-            'email_domain',
-            'referrer_domain',
-            'referrer_ipv4',
-            'referrer_url',
-            'sha256'
-        ]
-        self.c2_attribution_data_items_friendly_names = {
-            'actor_ipv4': 'Actor IPv4',
-            'c2_domain': 'C2 Domain',
-            'c2_ip': 'C2 IP',
-            'c2_url': 'C2 URL',
-            'datetime': 'DateTime',
-            'email': 'Email',
-            'email_domain': 'Email Domain',
-            'referrer_domain': 'Referrer Domain',
-            'referrer_ipv4': 'Referrer IPv4',
-            'referrer_url': 'Referrer URL',
-            'sha256': 'SHA256'
-        }
-
-        self.device_geo_data_items = [
-            'datetime',
-            'device_user_agent',
-            'geo_country_alpha_2',
-            'geo_horizontal_accuracy',
-            'ipv4',
-            'ipv6',
-            'latitude',
-            'longitude',
-            'wifi_bssid'
-        ]
-
-        self.device_geo_data_items_friendly_names = {
-            'datetime': 'DateTime',
-            'device_user_agent': 'Device User Agent',
-            'geo_country_alpha_2': 'Alpha-2 Code',
-            'geo_horizontal_accuracy': 'GPS Horizontal Accuracy',
-            'ipv4': 'IPv4 Address',
-            'ipv6': 'IPv6 Address',
-            'latitude': 'Latitude',
-            'longitude': 'Longitude',
-            'wifi_bssid': 'WIFI BSSID'
-        }
-
-        self.dynamic_dns_data_items = [
-            'a_record',
-            'account',
-            'created',
-            'created_ip',
-            'domain',
-            'domain_creator_ip',
-            'email',
-        ]
-
-        self.dynamic_dns_data_items_friendly_names = {
-            'a_record': 'A Record',
-            'account': 'Account Holder',
-            'created': 'Created Date',
-            'created_ip': 'Account Holder IP Address',
-            'domain': 'Domain',
-            'domain_creator_ip': 'Domain Creator IP Address',
-            'email': 'Email Address',
-        }
-
-        self.os_indicators_data_items = [
-            'context',
-            'datetime',
-            'domain',
-            'domain_2tld',
-            'first_seen',
-            'ipv4',
-            'ipv6',
-            'last_seen',
-            'md5',
-            'sha1',
-            'sha256',
-            'source_name',
-            'source_url',
-            'url'
-        ]
-
-        self.os_indicators_data_items_friendly_names = {
-            'context': 'Context',
-            'datetime': 'DateTime',
-            'domain': 'Domain',
-            'domain_2tld': 'Domain 2TLD',
-            'first_seen': 'First Seen',
-            'ipv4': 'IPv4 Address',
-            'ipv6': 'IPv6 Address',
-            'last_seen': 'Last Seen',
-            'md5': 'MD5',
-            'sha1': 'SHA1',
-            'sha256': 'SHA256',
-            'source_name': 'Source Name',
-            'source_url': 'Source URL',
-            'url': 'URL'
-        }
-
-        self.passive_dns_data_items = [
-            'cert_name',
-            'count',
-            'domain',
-            'first_seen',
-            'ip_geo_city_name',
-            'ip_geo_country_iso_code',
-            'ip_geo_country_name',
-            'ip_geo_location_latitude',
-            'ip_geo_location_longitude',
-            'ip_geo_postal_code',
-            'ip_ip',
-            'ip_isp_autonomous_system_number',
-            'ip_isp_autonomous_system_organization',
-            'ip_isp_ip_address',
-            'ip_isp_isp',
-            'ip_isp_organization',
-            'ipv4',
-            'ipv6',
-            'last_seen'
-        ]
-
-        self.passive_dns_data_items_friendly_names = {
-            'cert_name': 'Certificate Provider Name',
-            'count': 'Passive DNS Count',
-            'domain': 'Domain',
-            'first_seen': 'First Seen',
-            'ip_geo_city_name': 'IP Organization City',
-            'ip_geo_country_iso_code': 'IP Organization Country ISO Code',
-            'ip_geo_country_name': 'IP Organization Country Name',
-            'ip_geo_location_latitude': 'IP Organization Latitude',
-            'ip_geo_location_longitude': 'IP Organization Longitude',
-            'ip_geo_postal_code': 'IP Organization Postal Code',
-            'ip_ip': 'IP Address',
-            'ip_isp_autonomous_system_number': 'ASN IP',
-            'ip_isp_autonomous_system_organization': 'ASO IP',
-            'ip_isp_ip_address': 'IP Address',
-            'ip_isp_isp': 'ISP',
-            'ip_isp_organization': 'ISP Organization',
-            'ipv4': 'IPv4 Address',
-            'ipv6': 'IPv6 Address',
-            'last_seen': 'Last Seen'
-        }
-
-        self.passive_hash_data_items = [
-            'domain',
-            'md5_count'
-        ]
-
-        self.passive_hash_data_items_friendly_names = {
-            'domain': 'Domain',
-            'md5_count': 'Passive DNS Count'
-        }
-
-        self.malware_records_data_items = [
-            'datetime',
-            'domain',
-            'ipv4',
-            'ipv6',
-            'md5',
-            'sha1',
-            'sha256'
-        ]
-
-        self.malware_records_data_items_friendly_names = {
-            'datetime': 'DateTime',
-            'domain': 'Domain',
-            'ipv4': 'IPv4 Address',
-            'ipv6': 'IPv6 Address',
-            'md5': 'MD5',
-            'sha1': 'SHA1',
-            'sha256': 'SHA256'
-        }
-
-        self.malware_information_data_items = [
-            'avscan_score',
-            'md5',
-            'av_name',
-            'def_time',
-            'threat_found',
-            'scan_time',
-            'sha1',
-            'sha256',
-            'sha512'
-        ]
-
-        self.malware_information_data_items_friendly_names = {
-            'avscan_score': 'AV Scan Score',
-            'md5': 'MD5',
-            'av_name': 'AV Name',
-            'def_time': 'AV DateTime',
-            'threat_found': 'Source',
-            'scan_time': 'Scan DateTime',
-            'sha1': 'SHA1',
-            'sha256': 'SHA256',
-            'sha512': 'SHA512'
-        }
-
-        self.sinkhole_data_items = [
-            'count',
-            'country_name',
-            'country_code',
-            'data_port',
-            'datetime',
-            'ipv4',
-            'last_seen',
-            'organization_name',
-            'sink_source'
-        ]
-
-        self.sinkhole_data_items_friendly_names = {
-            'count': 'Sinkhole Count',
-            'country_name': 'IP Address Country',
-            'country_code': 'IP Address Country Code',
-            'data_port': 'Data Port',
-            'datetime': 'First Seen',
-            'ipv4': 'IP Address',
-            'last_seen': 'Last Seen',
-            'organization_name': 'ISP Organization',
-            'sink_source': 'Sink Source IP'
-        }
-
-        self.ssl_certificate_data_items = [
-            'ip',
-            'ssl_cert_cert_key',
-            'ssl_cert_expire_date',
-            'ssl_cert_issue_date',
-            'ssl_cert_issuer_commonName',
-            'ssl_cert_issuer_countryName',
-            'ssl_cert_issuer_localityName',
-            'ssl_cert_issuer_organizationName',
-            'ssl_cert_issuer_organizationalUnitName',
-            'ssl_cert_issuer_stateOrProvinceName',
-            'ssl_cert_md5',
-            'ssl_cert_serial_number',
-            'ssl_cert_sha1',
-            'ssl_cert_sha_256',
-            'ssl_cert_sig_algo',
-            'ssl_cert_ssl_version',
-            'ssl_cert_subject_commonName',
-            'ssl_cert_subject_countryName',
-            'ssl_cert_subject_localityName',
-            'ssl_cert_subject_organizationName',
-            'ssl_cert_subject_organizationalUnitName',
-            'ssl_cert_timestamp'
-        ]
-
-        self.ssl_certificate_data_items_friendly_names = {
-            'ip': 'IP Address',
-            'ssl_cert_cert_key': 'Certificate Key',
-            'ssl_cert_expire_date': 'Certificate Expiration Date',
-            'ssl_cert_issue_date': 'Certificate Issue Date',
-            'ssl_cert_issuer_commonName': 'Issuer Common Name',
-            'ssl_cert_issuer_countryName': 'Issuer Country Name',
-            'ssl_cert_issuer_localityName': 'Issuer City Name',
-            'ssl_cert_issuer_organizationName': 'Issuer Organization Name',
-            'ssl_cert_issuer_organizationalUnitName': 'Issuer Organization Unit Name',
-            'ssl_cert_issuer_stateOrProvinceName': 'Issuer State or Province Name',
-            'ssl_cert_md5': 'Certificate MD5',
-            'ssl_cert_serial_number': 'Certificate Serial Number',
-            'ssl_cert_sha1': 'Certificate SHA1',
-            'ssl_cert_sha_256': 'Certificate SHA256',
-            'ssl_cert_sig_algo': 'Certificate Signature Algorithm',
-            'ssl_cert_ssl_version': 'SSL Version',
-            'ssl_cert_subject_commonName': 'Reciever Subject Name',
-            'ssl_cert_subject_countryName': 'Receiver Country Name',
-            'ssl_cert_subject_localityName': 'Receiver City Name',
-            'ssl_cert_subject_organizationName': 'Receiver Organization Name',
-            'ssl_cert_subject_organizationalUnitName': 'Receiver Organization Unit Name',
-            'ssl_cert_timestamp': 'Certificate DateTime'
-        }
-
-        self.whois_historic_data_items = [
-            'abuse_emails',
-            'address',
-            'city',
-            'country',
-            'datetime',
-            'domain',
-            'domain_2tld',
-            'domain_created_datetime',
-            'domain_expires_datetime',
-            'domain_updated_datetime',
-            'email',
-            'idn_name',
-            'name',
-            'nameserver',
-            'organization',
-            'phone',
-            'privacy_punch',
-            'registrar'
-        ]
-
-        self.whois_historic_data_items_friendly_names = {
-            'abuse_emails': 'Abuse Emails',
-            'address': 'Address',
-            'city': 'City',
-            'country': 'Country',
-            'datetime': 'Datetime',
-            'domain': 'Domain',
-            'domain_2tld': 'Domain 2tld',
-            'domain_created_datetime': 'Domain Created Time',
-            'domain_expires_datetime': 'Domain Expires Time',
-            'domain_updated_datetime': 'Domain Updated Time',
-            'email': 'Email Address',
-            'idn_name': 'IDN Name',
-            'name': 'Name',
-            'nameserver': 'Nameserver',
-            'organization': 'Organization',
-            'phone': 'Phone Info',
-            'privacy_punch': 'Privacy Punch',
-            'registrar': 'Registrar'
-        }
-
-        self.whois_current_data_items = [
-            'abuse_emails',
-            'address',
-            'city',
-            'country',
-            'datetime',
-            'domain',
-            'domain_2tld',
-            'domain_created_datetime',
-            'domain_expires_datetime',
-            'domain_updated_datetime',
-            'email',
-            'idn_name',
-            'name',
-            'nameserver',
-            'organization',
-            'phone',
-            'privacy_punch',
-            'registrar',
-            'state'
-        ]
-
-        self.whois_current_data_items_friendly_names = {
-            'abuse_emails': 'Abuse Emails',
-            'address': 'Address',
-            'city': 'City',
-            'country': 'Country',
-            'datetime': 'Datetime',
-            'domain': 'Domain',
-            'domain_2tld': 'Domain 2tld',
-            'domain_created_datetime': 'Domain Created Time',
-            'domain_expires_datetime': 'Domain Expires Time',
-            'domain_updated_datetime': 'Domain Updated Time',
-            'email': 'Email Address',
-            'idn_name': 'IDN Name',
-            'name': 'Name',
-            'nameserver': 'Nameserver',
-            'organization': 'Organization',
-            'phone': 'Phone',
-            'privacy_punch': 'Privacy Punch',
-            'registrar': 'Registrar',
-            'state': 'State'
-        }
-
-    def create_misp_attributes_and_objects(self, response, endpoint, attribute_value):
-        flatten_json_response = get_flatten_json_response(response)
-        data_items: List[str] = []
-        data_items_friendly_names: Dict[str, str] = {}
-        if endpoint == DEVICE_GEO_ENDPOINT:
-            data_items: List[str] = self.device_geo_data_items
-            data_items_friendly_names: Dict[str, str] = self.device_geo_data_items_friendly_names
-        elif endpoint == DYNAMIC_DNS_ENDPOINT:
-            data_items: List[str] = self.dynamic_dns_data_items
-            data_items_friendly_names: Dict[str, str] = self.dynamic_dns_data_items_friendly_names
-        elif endpoint == PASSIVE_DNS_ENDPOINT:
-            data_items: List[str] = self.passive_dns_data_items
-            data_items_friendly_names: Dict[str, str] = self.passive_dns_data_items_friendly_names
-        elif endpoint == PASSIVE_HASH_ENDPOINT:
-            data_items: List[str] = self.passive_hash_data_items
-            data_items_friendly_names: Dict[str, str] = self.passive_hash_data_items_friendly_names
-        elif endpoint == SINKHOLE_ENDPOINT:
-            data_items: List[str] = self.sinkhole_data_items
-            data_items_friendly_names: Dict[str, str] = self.sinkhole_data_items_friendly_names
-        elif endpoint == WHOIS_HISTORIC_ENDPOINT:
-            data_items = self.whois_historic_data_items
-            data_items_friendly_names = self.whois_historic_data_items_friendly_names
-        elif endpoint == WHOIS_CURRENT_ENDPOINT:
-            data_items: List[str] = self.whois_current_data_items
-            data_items_friendly_names: Dict[str, str] = self.whois_current_data_items_friendly_names
-        elif endpoint == SSL_CERTIFICATE_ENDPOINT:
-            data_items: List[str] = self.ssl_certificate_data_items
-            data_items_friendly_names: Dict[str, str] = self.ssl_certificate_data_items_friendly_names
-        elif endpoint == MALWARE_INFORMATION_ENDPOINT:
-            data_items: List[str] = self.malware_information_data_items
-            data_items_friendly_names = self.malware_information_data_items_friendly_names
-        elif endpoint == MALWARE_RECORDS_ENDPOINT:
-            data_items: List[str] = self.malware_records_data_items
-            data_items_friendly_names = self.malware_records_data_items_friendly_names
-        elif endpoint == OPEN_SOURCE_INDICATORS_ENDPOINT:
-            data_items: List[str] = self.os_indicators_data_items
-            data_items_friendly_names = self.os_indicators_data_items_friendly_names
-        elif endpoint == C2ATTRIBUTION_ENDPOINT:
-            data_items: List[str] = self.c2_attribution_data_items
-            data_items_friendly_names = self.c2_attribution_data_items_friendly_names
-
-        for result in flatten_json_response:
-            hyas_object = misp_object(endpoint, attribute_value)
-            for data_item in result.keys():
-                if data_item in data_items:
-                    data_item_text = data_items_friendly_names[data_item]
-                    data_item_value = str(result[data_item])
-                    hyas_object.add_attribute(
-                        **parse_attribute(hyas_object.comment, data_item_text, data_item_value))
-            hyas_object.add_reference(self.attribute['uuid'], 'related-to')
-            self.misp_event.add_object(hyas_object)
-
-    def get_results(self):
-        """returns the dictionary object to MISP Instance"""
-        event = json.loads(self.misp_event.to_json())
-        results = {key: event[key] for key in ('Attribute', 'Object')}
-        return {'results': results}
-
-
-def handler(q=False):
-    """The function which accepts a JSON document to expand the values and return a dictionary of the expanded
-    values. """
-    if q is False:
-        return False
-    request = json.loads(q)
-    # check if the apikey is provided
-    if not request.get('config') or not request['config'].get('apikey'):
-        misperrors['error'] = 'HYAS Insight apikey is missing'
-        return misperrors
-    apikey = request['config'].get('apikey')
-    # check attribute is added to the event
-    if not request.get('attribute') or not check_input_attribute(request['attribute']):
-        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
-
-    attribute = request['attribute']
-    attribute_type = attribute['type']
-    attribute_value = attribute['value']
-
-    # check if the attribute type is supported by IPQualityScore
-    if attribute_type not in mispattributes['input']:
-        return {'error': 'Unsupported attributes type for HYAS Insight Enrichment'}
-    request_handler = RequestHandler(apikey)
-    parser = HyasInsightParser(attribute)
-    has_results = False
-    if attribute_type in ip_query_input_type:
-        ip_param = ''
-        for endpoint in HYAS_IP_ENRICHMENT_ENDPOINTS_LIST:
-            if endpoint == DEVICE_GEO_ENDPOINT:
-                if re.match(IPV4_REGEX, attribute_value):
-                    ip_param = IPV4_PARAM
-                elif re.match(IPV6_REGEX, attribute_value):
-                    ip_param = IPV6_PARAM
-            elif endpoint == PASSIVE_HASH_ENDPOINT:
-                ip_param = IPV4_PARAM
-            elif endpoint == SINKHOLE_ENDPOINT:
-                ip_param = IPV4_PARAM
-            elif endpoint == MALWARE_RECORDS_ENDPOINT:
-                ip_param = IPV4_PARAM
-            else:
-                ip_param = IP_PARAM
-            enrich_response = request_handler.hyas_lookup(endpoint, ip_param, attribute_value)
-            if endpoint == SSL_CERTIFICATE_ENDPOINT:
-                enrich_response = enrich_response.get('ssl_certs')
-            if enrich_response:
-                has_results = True
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in domain_query_input_type:
-        for endpoint in HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST:
-            if not endpoint == WHOIS_CURRENT_ENDPOINT:
-                enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value)
-            else:
-                enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value,
-                                                              endpoint == WHOIS_CURRENT_ENDPOINT)
-                enrich_response = enrich_response.get('items')
-            if enrich_response:
-                has_results = True
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in email_query_input_type:
-        for endpoint in HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST:
-            enrich_response = request_handler.hyas_lookup(endpoint, EMAIL_PARAM, attribute_value)
-            if enrich_response:
-                has_results = True
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in phone_query_input_type:
-        for endpoint in HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST:
-            enrich_response = request_handler.hyas_lookup(endpoint, PHONE_PARAM, attribute_value)
-            if enrich_response:
-                has_results = True
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in md5_query_input_type:
-        md5_param = MD5_PARAM
-        for endpoint in HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST:
-            if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                md5_param = HASH_PARAM
-            enrich_response = request_handler.hyas_lookup(endpoint, md5_param, attribute_value)
-            if enrich_response:
-                has_results = True
-                if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in sha1_query_input_type:
-        sha1_param = SHA1_PARAM
-        for endpoint in HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST:
-            if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                sha1_param = HASH_PARAM
-            elif endpoint == SSL_CERTIFICATE_ENDPOINT:
-                sha1_param = HASH_PARAM
-            enrich_response = request_handler.hyas_lookup(endpoint, sha1_param, attribute_value)
-
-            if enrich_response:
-                has_results = True
-                if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in sha256_query_input_type:
-        sha256_param = SHA256_PARAM
-        for endpoint in HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST:
-            if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                sha256_param = HASH_PARAM
-            enrich_response = request_handler.hyas_lookup(endpoint, sha256_param, attribute_value)
-            if enrich_response:
-                has_results = True
-                if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-    elif attribute_type in sha512_query_input_type:
-        sha512_param = ''
-        for endpoint in HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST:
-            if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                sha512_param = HASH_PARAM
-            enrich_response = request_handler.hyas_lookup(endpoint, sha512_param, attribute_value)
-            if enrich_response:
-                has_results = True
-                if endpoint == MALWARE_INFORMATION_ENDPOINT:
-                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
-                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
-
-    if has_results:
-        return parser.get_results()
-    else:
-        return {'error': 'No records found in HYAS Insight for the provided attribute.'}
-
-
-def introspection():
-    """The function that returns a dict of the supported attributes (input and output) by your expansion module."""
-    return mispattributes
-
-
-def version():
-    """The function that returns a dict with the version and the associated meta-data including potential
-    configurations required of the module. """
-    moduleinfo['config'] = moduleconfig
-    return moduleinfo
+import json
+import logging
+from typing import Dict, List, Any
+
+import requests
+import re
+from requests.exceptions import (
+    HTTPError,
+    ProxyError,
+    InvalidURL,
+    ConnectTimeout
+)
+from . import check_input_attribute, standard_error_message
+from pymisp import MISPEvent, MISPObject, Distribution
+
+ip_query_input_type = [
+    'ip-src',
+    'ip-dst'
+]
+domain_query_input_type = [
+    'hostname',
+    'domain'
+]
+email_query_input_type = [
+    'email',
+    'email-src',
+    'email-dst',
+    'target-email',
+    'whois-registrant-email'
+]
+phone_query_input_type = [
+    'phone-number',
+    'whois-registrant-phone'
+]
+
+md5_query_input_type = [
+    'md5',
+    'x509-fingerprint-md5',
+    'ja3-fingerprint-md5',
+    'hassh-md5',
+    'hasshserver-md5'
+]
+
+sha1_query_input_type = [
+    'sha1',
+    'x509-fingerprint-sha1'
+]
+
+sha256_query_input_type = [
+    'sha256',
+    'x509-fingerprint-sha256'
+]
+
+sha512_query_input_type = [
+    'sha512'
+]
+
+misperrors = {
+    'error': 'Error'
+}
+mispattributes = {
+    'input': ip_query_input_type + domain_query_input_type + email_query_input_type + phone_query_input_type
+             + md5_query_input_type + sha1_query_input_type + sha256_query_input_type + sha512_query_input_type,
+    'format': 'misp_standard'
+}
+
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Mike Champ',
+    'description': 'HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'HYAS Insight Lookup',
+    'logo': 'hyas.png',
+    'requirements': ['A HYAS Insight API Key.'],
+    'features': 'This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.\n The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. \n\nAn API key is required to submit queries to the HYAS Insight API.\n',
+    'references': ['https://www.hyas.com/hyas-insight/'],
+    'input': 'A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)',
+    'output': 'Hyas Insight objects, resulting from the query on the HYAS Insight API.',
+}
+moduleconfig = ['apikey']
+TIMEOUT = 60
+logger = logging.getLogger('hyasinsight')
+logger.setLevel(logging.DEBUG)
+HYAS_API_BASE_URL = 'https://insight.hyas.com/api/ext/'
+WHOIS_CURRENT_BASE_URL = 'https://api.hyas.com/'
+DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value
+IPV4_REGEX = r'\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b([^\/]|$)'
+IPV6_REGEX = r'\b(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:(?:(:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b'  # noqa: E501
+# Enrichment Types
+# HYAS API endpoints
+PASSIVE_DNS_ENDPOINT = 'passivedns'
+DYNAMIC_DNS_ENDPOINT = 'dynamicdns'
+PASSIVE_HASH_ENDPOINT = 'passivehash'
+SINKHOLE_ENDPOINT = 'sinkhole'
+SSL_CERTIFICATE_ENDPOINT = 'ssl_certificate'
+DEVICE_GEO_ENDPOINT = 'device_geo'
+WHOIS_HISTORIC_ENDPOINT = 'whois'
+WHOIS_CURRENT_ENDPOINT = 'whois/v1'
+MALWARE_RECORDS_ENDPOINT = 'sample'
+MALWARE_INFORMATION_ENDPOINT = 'sample/information'
+C2ATTRIBUTION_ENDPOINT = 'c2attribution'
+OPEN_SOURCE_INDICATORS_ENDPOINT = 'os_indicators'
+
+# HYAS API endpoint params
+DOMAIN_PARAM = 'domain'
+IP_PARAM = 'ip'
+IPV4_PARAM = 'ipv4'
+IPV6_PARAM = 'ipv6'
+EMAIL_PARAM = 'email'
+PHONE_PARAM = 'phone'
+MD5_PARAM = 'md5'
+SHA256_PARAM = 'sha256'
+SHA512_PARAM = 'sha512'
+HASH_PARAM = 'hash'
+SHA1_PARAM = 'sha1'
+
+HYAS_IP_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, PASSIVE_DNS_ENDPOINT, PASSIVE_HASH_ENDPOINT,
+                                     SINKHOLE_ENDPOINT,
+                                     SSL_CERTIFICATE_ENDPOINT, DEVICE_GEO_ENDPOINT, C2ATTRIBUTION_ENDPOINT,
+                                     MALWARE_RECORDS_ENDPOINT, OPEN_SOURCE_INDICATORS_ENDPOINT]
+HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST = [PASSIVE_DNS_ENDPOINT, DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT,
+                                         MALWARE_RECORDS_ENDPOINT, WHOIS_CURRENT_ENDPOINT, PASSIVE_HASH_ENDPOINT,
+                                         C2ATTRIBUTION_ENDPOINT, SSL_CERTIFICATE_ENDPOINT,
+                                         OPEN_SOURCE_INDICATORS_ENDPOINT]
+HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, C2ATTRIBUTION_ENDPOINT]
+HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST = [WHOIS_HISTORIC_ENDPOINT]
+HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST = [SSL_CERTIFICATE_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
+                                       OPEN_SOURCE_INDICATORS_ENDPOINT]
+HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST = [C2ATTRIBUTION_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
+                                         OPEN_SOURCE_INDICATORS_ENDPOINT]
+HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_INFORMATION_ENDPOINT]
+HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_RECORDS_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
+                                      OPEN_SOURCE_INDICATORS_ENDPOINT]
+
+HYAS_OBJECT_NAMES = {
+    DYNAMIC_DNS_ENDPOINT: "Dynamic DNS Information",
+    PASSIVE_HASH_ENDPOINT: "Passive Hash Information",
+    SINKHOLE_ENDPOINT: "Sinkhole Information",
+    SSL_CERTIFICATE_ENDPOINT: "SSL Certificate Information",
+    DEVICE_GEO_ENDPOINT: "Mobile Geolocation Information",
+    C2ATTRIBUTION_ENDPOINT: "C2 Attribution Information",
+    PASSIVE_DNS_ENDPOINT: "Passive DNS Information",
+    WHOIS_HISTORIC_ENDPOINT: "Whois Related Information",
+    WHOIS_CURRENT_ENDPOINT: "Whois Current Related Information",
+    MALWARE_INFORMATION_ENDPOINT: "Malware Sample Information",
+    OPEN_SOURCE_INDICATORS_ENDPOINT: "Open Source Intel for malware, ssl certificates and other indicators Information",
+    MALWARE_RECORDS_ENDPOINT: "Malware Sample Records Information"
+}
+
+
+def parse_attribute(comment, feature, value):
+    """Generic Method for parsing the attributes in the object"""
+    attribute = {
+        'type': 'text',
+        'value': value,
+        'comment': comment,
+        'distribution': DEFAULT_DISTRIBUTION_SETTING,
+        'object_relation': feature
+    }
+    return attribute
+
+
+def misp_object(endpoint, attribute_value):
+    object_name = HYAS_OBJECT_NAMES[endpoint]
+    hyas_object = MISPObject(object_name)
+    hyas_object.distribution = DEFAULT_DISTRIBUTION_SETTING
+    hyas_object.template_uuid = "d69d3d15-7b4d-49b1-9e0a-bb29f3d421d9"
+    hyas_object.template_id = "1"
+    hyas_object.description = "HYAS INSIGHT " + object_name
+    hyas_object.comment = "HYAS INSIGHT " + object_name + " for " + attribute_value
+    setattr(hyas_object, 'meta-category', 'network')
+    description = (
+        "An object containing the enriched attribute and "
+        "related entities from HYAS Insight."
+    )
+    hyas_object.from_dict(
+        **{"meta-category": "misc", "description": description,
+           "distribution": DEFAULT_DISTRIBUTION_SETTING}
+    )
+    return hyas_object
+
+
+def flatten_json(y: Dict) -> Dict[str, Any]:
+    """
+    :param y: raw_response from HYAS api
+    :return: Flatten json response
+    """
+    out = {}
+
+    def flatten(x, name=''):
+        # If the Nested key-value
+        # pair is of dict type
+        if type(x) is dict:
+            for a in x:
+                flatten(x[a], name + a + '_')
+        else:
+            out[name[:-1]] = x
+
+    flatten(y)
+    return out
+
+
+def get_flatten_json_response(raw_api_response: List[Dict]) -> List[Dict]:
+    """
+    :param raw_api_response: raw_api response from the API
+    :return: Flatten Json response
+    """
+    flatten_json_response = []
+    if raw_api_response:
+        for obj in raw_api_response:
+            flatten_json_response.append(flatten_json(obj))
+
+    return flatten_json_response
+
+
+def request_body(query_input, query_param, current):
+    """
+    This Method returns the request body for specific endpoint.
+    """
+
+    if current:
+        return {
+            "applied_filters": {
+                query_input: query_param,
+                "current": True
+            }
+        }
+    else:
+        return {
+            "applied_filters": {
+                query_input: query_param
+            }
+        }
+
+
+def malware_info_lookup_to_markdown(results: Dict) -> list:
+    scan_results = results.get('scan_results', [])
+    out = []
+    if scan_results:
+        for res in scan_results:
+            malware_info_data = {
+                "avscan_score": results.get(
+                    "avscan_score", ''),
+                "md5": results.get("md5", ''),
+                'av_name': res.get(
+                    "av_name", ''),
+                'def_time': res.get(
+                    "def_time", ''),
+                'threat_found': res.get(
+                    'threat_found', ''),
+                'scan_time': results.get("scan_time", ''),
+                'sha1': results.get('sha1', ''),
+                'sha256': results.get('sha256', ''),
+                'sha512': results.get('sha512', '')
+            }
+            out.append(malware_info_data)
+    else:
+        malware_info_data = {
+            "avscan_score": results.get("avscan_score", ''),
+            "md5": results.get("md5", ''),
+            'av_name': '',
+            'def_time': '',
+            'threat_found': '',
+            'scan_time': results.get("scan_time", ''),
+            'sha1': results.get('sha1', ''),
+            'sha256': results.get('sha256', ''),
+            'sha512': results.get('sha512', '')
+        }
+        out.append(malware_info_data)
+    return out
+
+
+class RequestHandler:
+    """A class for handling any outbound requests from this module."""
+
+    def __init__(self, apikey):
+        self.session = requests.Session()
+        self.api_key = apikey
+
+    def get(self, url: str, headers: dict = None, req_body=None) -> requests.Response:
+        """General post method to fetch the response from HYAS Insight."""
+        response = []
+        try:
+            response = self.session.post(
+                url, headers=headers, json=req_body
+            )
+            if response:
+                response = response.json()
+        except (ConnectTimeout, ProxyError, InvalidURL) as error:
+            msg = "Error connecting with the HYAS Insight."
+            logger.error(f"{msg} Error: {error}")
+            misperrors["error"] = msg
+        return response
+
+    def hyas_lookup(self, end_point: str, query_input, query_param, current=False) -> requests.Response:
+        """Do a lookup call."""
+        # Building the request
+        if current:
+            url = f'{WHOIS_CURRENT_BASE_URL}{WHOIS_CURRENT_ENDPOINT}'
+        else:
+            url = f'{HYAS_API_BASE_URL}{end_point}'
+        headers = {
+            'Content-type': 'application/json',
+            'X-API-Key': self.api_key,
+            'User-Agent': 'Misp Modules'
+        }
+        req_body = request_body(query_input, query_param, current)
+        try:
+            response = self.get(url, headers, req_body)
+        except HTTPError as error:
+            msg = f"Error when requesting data from HYAS Insight. {error.response}: {error.response.reason}"
+            logger.error(msg)
+            misperrors["error"] = msg
+            raise
+        return response
+
+
+class HyasInsightParser:
+    """A class for handling the enrichment objects"""
+
+    def __init__(self, attribute):
+        self.attribute = attribute
+        self.misp_event = MISPEvent()
+        self.misp_event.add_attribute(**attribute)
+
+        self.c2_attribution_data_items = [
+            'actor_ipv4',
+            'c2_domain',
+            'c2_ip',
+            'c2_url',
+            'datetime',
+            'email',
+            'email_domain',
+            'referrer_domain',
+            'referrer_ipv4',
+            'referrer_url',
+            'sha256'
+        ]
+        self.c2_attribution_data_items_friendly_names = {
+            'actor_ipv4': 'Actor IPv4',
+            'c2_domain': 'C2 Domain',
+            'c2_ip': 'C2 IP',
+            'c2_url': 'C2 URL',
+            'datetime': 'DateTime',
+            'email': 'Email',
+            'email_domain': 'Email Domain',
+            'referrer_domain': 'Referrer Domain',
+            'referrer_ipv4': 'Referrer IPv4',
+            'referrer_url': 'Referrer URL',
+            'sha256': 'SHA256'
+        }
+
+        self.device_geo_data_items = [
+            'datetime',
+            'device_user_agent',
+            'geo_country_alpha_2',
+            'geo_horizontal_accuracy',
+            'ipv4',
+            'ipv6',
+            'latitude',
+            'longitude',
+            'wifi_bssid'
+        ]
+
+        self.device_geo_data_items_friendly_names = {
+            'datetime': 'DateTime',
+            'device_user_agent': 'Device User Agent',
+            'geo_country_alpha_2': 'Alpha-2 Code',
+            'geo_horizontal_accuracy': 'GPS Horizontal Accuracy',
+            'ipv4': 'IPv4 Address',
+            'ipv6': 'IPv6 Address',
+            'latitude': 'Latitude',
+            'longitude': 'Longitude',
+            'wifi_bssid': 'WIFI BSSID'
+        }
+
+        self.dynamic_dns_data_items = [
+            'a_record',
+            'account',
+            'created',
+            'created_ip',
+            'domain',
+            'domain_creator_ip',
+            'email',
+        ]
+
+        self.dynamic_dns_data_items_friendly_names = {
+            'a_record': 'A Record',
+            'account': 'Account Holder',
+            'created': 'Created Date',
+            'created_ip': 'Account Holder IP Address',
+            'domain': 'Domain',
+            'domain_creator_ip': 'Domain Creator IP Address',
+            'email': 'Email Address',
+        }
+
+        self.os_indicators_data_items = [
+            'context',
+            'datetime',
+            'domain',
+            'domain_2tld',
+            'first_seen',
+            'ipv4',
+            'ipv6',
+            'last_seen',
+            'md5',
+            'sha1',
+            'sha256',
+            'source_name',
+            'source_url',
+            'url'
+        ]
+
+        self.os_indicators_data_items_friendly_names = {
+            'context': 'Context',
+            'datetime': 'DateTime',
+            'domain': 'Domain',
+            'domain_2tld': 'Domain 2TLD',
+            'first_seen': 'First Seen',
+            'ipv4': 'IPv4 Address',
+            'ipv6': 'IPv6 Address',
+            'last_seen': 'Last Seen',
+            'md5': 'MD5',
+            'sha1': 'SHA1',
+            'sha256': 'SHA256',
+            'source_name': 'Source Name',
+            'source_url': 'Source URL',
+            'url': 'URL'
+        }
+
+        self.passive_dns_data_items = [
+            'cert_name',
+            'count',
+            'domain',
+            'first_seen',
+            'ip_geo_city_name',
+            'ip_geo_country_iso_code',
+            'ip_geo_country_name',
+            'ip_geo_location_latitude',
+            'ip_geo_location_longitude',
+            'ip_geo_postal_code',
+            'ip_ip',
+            'ip_isp_autonomous_system_number',
+            'ip_isp_autonomous_system_organization',
+            'ip_isp_ip_address',
+            'ip_isp_isp',
+            'ip_isp_organization',
+            'ipv4',
+            'ipv6',
+            'last_seen'
+        ]
+
+        self.passive_dns_data_items_friendly_names = {
+            'cert_name': 'Certificate Provider Name',
+            'count': 'Passive DNS Count',
+            'domain': 'Domain',
+            'first_seen': 'First Seen',
+            'ip_geo_city_name': 'IP Organization City',
+            'ip_geo_country_iso_code': 'IP Organization Country ISO Code',
+            'ip_geo_country_name': 'IP Organization Country Name',
+            'ip_geo_location_latitude': 'IP Organization Latitude',
+            'ip_geo_location_longitude': 'IP Organization Longitude',
+            'ip_geo_postal_code': 'IP Organization Postal Code',
+            'ip_ip': 'IP Address',
+            'ip_isp_autonomous_system_number': 'ASN IP',
+            'ip_isp_autonomous_system_organization': 'ASO IP',
+            'ip_isp_ip_address': 'IP Address',
+            'ip_isp_isp': 'ISP',
+            'ip_isp_organization': 'ISP Organization',
+            'ipv4': 'IPv4 Address',
+            'ipv6': 'IPv6 Address',
+            'last_seen': 'Last Seen'
+        }
+
+        self.passive_hash_data_items = [
+            'domain',
+            'md5_count'
+        ]
+
+        self.passive_hash_data_items_friendly_names = {
+            'domain': 'Domain',
+            'md5_count': 'Passive DNS Count'
+        }
+
+        self.malware_records_data_items = [
+            'datetime',
+            'domain',
+            'ipv4',
+            'ipv6',
+            'md5',
+            'sha1',
+            'sha256'
+        ]
+
+        self.malware_records_data_items_friendly_names = {
+            'datetime': 'DateTime',
+            'domain': 'Domain',
+            'ipv4': 'IPv4 Address',
+            'ipv6': 'IPv6 Address',
+            'md5': 'MD5',
+            'sha1': 'SHA1',
+            'sha256': 'SHA256'
+        }
+
+        self.malware_information_data_items = [
+            'avscan_score',
+            'md5',
+            'av_name',
+            'def_time',
+            'threat_found',
+            'scan_time',
+            'sha1',
+            'sha256',
+            'sha512'
+        ]
+
+        self.malware_information_data_items_friendly_names = {
+            'avscan_score': 'AV Scan Score',
+            'md5': 'MD5',
+            'av_name': 'AV Name',
+            'def_time': 'AV DateTime',
+            'threat_found': 'Source',
+            'scan_time': 'Scan DateTime',
+            'sha1': 'SHA1',
+            'sha256': 'SHA256',
+            'sha512': 'SHA512'
+        }
+
+        self.sinkhole_data_items = [
+            'count',
+            'country_name',
+            'country_code',
+            'data_port',
+            'datetime',
+            'ipv4',
+            'last_seen',
+            'organization_name',
+            'sink_source'
+        ]
+
+        self.sinkhole_data_items_friendly_names = {
+            'count': 'Sinkhole Count',
+            'country_name': 'IP Address Country',
+            'country_code': 'IP Address Country Code',
+            'data_port': 'Data Port',
+            'datetime': 'First Seen',
+            'ipv4': 'IP Address',
+            'last_seen': 'Last Seen',
+            'organization_name': 'ISP Organization',
+            'sink_source': 'Sink Source IP'
+        }
+
+        self.ssl_certificate_data_items = [
+            'ip',
+            'ssl_cert_cert_key',
+            'ssl_cert_expire_date',
+            'ssl_cert_issue_date',
+            'ssl_cert_issuer_commonName',
+            'ssl_cert_issuer_countryName',
+            'ssl_cert_issuer_localityName',
+            'ssl_cert_issuer_organizationName',
+            'ssl_cert_issuer_organizationalUnitName',
+            'ssl_cert_issuer_stateOrProvinceName',
+            'ssl_cert_md5',
+            'ssl_cert_serial_number',
+            'ssl_cert_sha1',
+            'ssl_cert_sha_256',
+            'ssl_cert_sig_algo',
+            'ssl_cert_ssl_version',
+            'ssl_cert_subject_commonName',
+            'ssl_cert_subject_countryName',
+            'ssl_cert_subject_localityName',
+            'ssl_cert_subject_organizationName',
+            'ssl_cert_subject_organizationalUnitName',
+            'ssl_cert_timestamp'
+        ]
+
+        self.ssl_certificate_data_items_friendly_names = {
+            'ip': 'IP Address',
+            'ssl_cert_cert_key': 'Certificate Key',
+            'ssl_cert_expire_date': 'Certificate Expiration Date',
+            'ssl_cert_issue_date': 'Certificate Issue Date',
+            'ssl_cert_issuer_commonName': 'Issuer Common Name',
+            'ssl_cert_issuer_countryName': 'Issuer Country Name',
+            'ssl_cert_issuer_localityName': 'Issuer City Name',
+            'ssl_cert_issuer_organizationName': 'Issuer Organization Name',
+            'ssl_cert_issuer_organizationalUnitName': 'Issuer Organization Unit Name',
+            'ssl_cert_issuer_stateOrProvinceName': 'Issuer State or Province Name',
+            'ssl_cert_md5': 'Certificate MD5',
+            'ssl_cert_serial_number': 'Certificate Serial Number',
+            'ssl_cert_sha1': 'Certificate SHA1',
+            'ssl_cert_sha_256': 'Certificate SHA256',
+            'ssl_cert_sig_algo': 'Certificate Signature Algorithm',
+            'ssl_cert_ssl_version': 'SSL Version',
+            'ssl_cert_subject_commonName': 'Reciever Subject Name',
+            'ssl_cert_subject_countryName': 'Receiver Country Name',
+            'ssl_cert_subject_localityName': 'Receiver City Name',
+            'ssl_cert_subject_organizationName': 'Receiver Organization Name',
+            'ssl_cert_subject_organizationalUnitName': 'Receiver Organization Unit Name',
+            'ssl_cert_timestamp': 'Certificate DateTime'
+        }
+
+        self.whois_historic_data_items = [
+            'abuse_emails',
+            'address',
+            'city',
+            'country',
+            'datetime',
+            'domain',
+            'domain_2tld',
+            'domain_created_datetime',
+            'domain_expires_datetime',
+            'domain_updated_datetime',
+            'email',
+            'idn_name',
+            'name',
+            'nameserver',
+            'organization',
+            'phone',
+            'privacy_punch',
+            'registrar'
+        ]
+
+        self.whois_historic_data_items_friendly_names = {
+            'abuse_emails': 'Abuse Emails',
+            'address': 'Address',
+            'city': 'City',
+            'country': 'Country',
+            'datetime': 'Datetime',
+            'domain': 'Domain',
+            'domain_2tld': 'Domain 2tld',
+            'domain_created_datetime': 'Domain Created Time',
+            'domain_expires_datetime': 'Domain Expires Time',
+            'domain_updated_datetime': 'Domain Updated Time',
+            'email': 'Email Address',
+            'idn_name': 'IDN Name',
+            'name': 'Name',
+            'nameserver': 'Nameserver',
+            'organization': 'Organization',
+            'phone': 'Phone Info',
+            'privacy_punch': 'Privacy Punch',
+            'registrar': 'Registrar'
+        }
+
+        self.whois_current_data_items = [
+            'abuse_emails',
+            'address',
+            'city',
+            'country',
+            'datetime',
+            'domain',
+            'domain_2tld',
+            'domain_created_datetime',
+            'domain_expires_datetime',
+            'domain_updated_datetime',
+            'email',
+            'idn_name',
+            'name',
+            'nameserver',
+            'organization',
+            'phone',
+            'privacy_punch',
+            'registrar',
+            'state'
+        ]
+
+        self.whois_current_data_items_friendly_names = {
+            'abuse_emails': 'Abuse Emails',
+            'address': 'Address',
+            'city': 'City',
+            'country': 'Country',
+            'datetime': 'Datetime',
+            'domain': 'Domain',
+            'domain_2tld': 'Domain 2tld',
+            'domain_created_datetime': 'Domain Created Time',
+            'domain_expires_datetime': 'Domain Expires Time',
+            'domain_updated_datetime': 'Domain Updated Time',
+            'email': 'Email Address',
+            'idn_name': 'IDN Name',
+            'name': 'Name',
+            'nameserver': 'Nameserver',
+            'organization': 'Organization',
+            'phone': 'Phone',
+            'privacy_punch': 'Privacy Punch',
+            'registrar': 'Registrar',
+            'state': 'State'
+        }
+
+    def create_misp_attributes_and_objects(self, response, endpoint, attribute_value):
+        flatten_json_response = get_flatten_json_response(response)
+        data_items: List[str] = []
+        data_items_friendly_names: Dict[str, str] = {}
+        if endpoint == DEVICE_GEO_ENDPOINT:
+            data_items: List[str] = self.device_geo_data_items
+            data_items_friendly_names: Dict[str, str] = self.device_geo_data_items_friendly_names
+        elif endpoint == DYNAMIC_DNS_ENDPOINT:
+            data_items: List[str] = self.dynamic_dns_data_items
+            data_items_friendly_names: Dict[str, str] = self.dynamic_dns_data_items_friendly_names
+        elif endpoint == PASSIVE_DNS_ENDPOINT:
+            data_items: List[str] = self.passive_dns_data_items
+            data_items_friendly_names: Dict[str, str] = self.passive_dns_data_items_friendly_names
+        elif endpoint == PASSIVE_HASH_ENDPOINT:
+            data_items: List[str] = self.passive_hash_data_items
+            data_items_friendly_names: Dict[str, str] = self.passive_hash_data_items_friendly_names
+        elif endpoint == SINKHOLE_ENDPOINT:
+            data_items: List[str] = self.sinkhole_data_items
+            data_items_friendly_names: Dict[str, str] = self.sinkhole_data_items_friendly_names
+        elif endpoint == WHOIS_HISTORIC_ENDPOINT:
+            data_items = self.whois_historic_data_items
+            data_items_friendly_names = self.whois_historic_data_items_friendly_names
+        elif endpoint == WHOIS_CURRENT_ENDPOINT:
+            data_items: List[str] = self.whois_current_data_items
+            data_items_friendly_names: Dict[str, str] = self.whois_current_data_items_friendly_names
+        elif endpoint == SSL_CERTIFICATE_ENDPOINT:
+            data_items: List[str] = self.ssl_certificate_data_items
+            data_items_friendly_names: Dict[str, str] = self.ssl_certificate_data_items_friendly_names
+        elif endpoint == MALWARE_INFORMATION_ENDPOINT:
+            data_items: List[str] = self.malware_information_data_items
+            data_items_friendly_names = self.malware_information_data_items_friendly_names
+        elif endpoint == MALWARE_RECORDS_ENDPOINT:
+            data_items: List[str] = self.malware_records_data_items
+            data_items_friendly_names = self.malware_records_data_items_friendly_names
+        elif endpoint == OPEN_SOURCE_INDICATORS_ENDPOINT:
+            data_items: List[str] = self.os_indicators_data_items
+            data_items_friendly_names = self.os_indicators_data_items_friendly_names
+        elif endpoint == C2ATTRIBUTION_ENDPOINT:
+            data_items: List[str] = self.c2_attribution_data_items
+            data_items_friendly_names = self.c2_attribution_data_items_friendly_names
+
+        for result in flatten_json_response:
+            hyas_object = misp_object(endpoint, attribute_value)
+            for data_item in result.keys():
+                if data_item in data_items:
+                    data_item_text = data_items_friendly_names[data_item]
+                    data_item_value = str(result[data_item])
+                    hyas_object.add_attribute(
+                        **parse_attribute(hyas_object.comment, data_item_text, data_item_value))
+            hyas_object.add_reference(self.attribute['uuid'], 'related-to')
+            self.misp_event.add_object(hyas_object)
+
+    def get_results(self):
+        """returns the dictionary object to MISP Instance"""
+        event = json.loads(self.misp_event.to_json())
+        results = {key: event[key] for key in ('Attribute', 'Object')}
+        return {'results': results}
+
+
+def handler(q=False):
+    """The function which accepts a JSON document to expand the values and return a dictionary of the expanded
+    values. """
+    if q is False:
+        return False
+    request = json.loads(q)
+    # check if the apikey is provided
+    if not request.get('config') or not request['config'].get('apikey'):
+        misperrors['error'] = 'HYAS Insight apikey is missing'
+        return misperrors
+    apikey = request['config'].get('apikey')
+    # check attribute is added to the event
+    if not request.get('attribute') or not check_input_attribute(request['attribute']):
+        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
+
+    attribute = request['attribute']
+    attribute_type = attribute['type']
+    attribute_value = attribute['value']
+
+    # check if the attribute type is supported by IPQualityScore
+    if attribute_type not in mispattributes['input']:
+        return {'error': 'Unsupported attributes type for HYAS Insight Enrichment'}
+    request_handler = RequestHandler(apikey)
+    parser = HyasInsightParser(attribute)
+    has_results = False
+    if attribute_type in ip_query_input_type:
+        ip_param = ''
+        for endpoint in HYAS_IP_ENRICHMENT_ENDPOINTS_LIST:
+            if endpoint == DEVICE_GEO_ENDPOINT:
+                if re.match(IPV4_REGEX, attribute_value):
+                    ip_param = IPV4_PARAM
+                elif re.match(IPV6_REGEX, attribute_value):
+                    ip_param = IPV6_PARAM
+            elif endpoint == PASSIVE_HASH_ENDPOINT:
+                ip_param = IPV4_PARAM
+            elif endpoint == SINKHOLE_ENDPOINT:
+                ip_param = IPV4_PARAM
+            elif endpoint == MALWARE_RECORDS_ENDPOINT:
+                ip_param = IPV4_PARAM
+            else:
+                ip_param = IP_PARAM
+            enrich_response = request_handler.hyas_lookup(endpoint, ip_param, attribute_value)
+            if endpoint == SSL_CERTIFICATE_ENDPOINT:
+                enrich_response = enrich_response.get('ssl_certs')
+            if enrich_response:
+                has_results = True
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in domain_query_input_type:
+        for endpoint in HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST:
+            if not endpoint == WHOIS_CURRENT_ENDPOINT:
+                enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value)
+            else:
+                enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value,
+                                                              endpoint == WHOIS_CURRENT_ENDPOINT)
+                enrich_response = enrich_response.get('items')
+            if enrich_response:
+                has_results = True
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in email_query_input_type:
+        for endpoint in HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST:
+            enrich_response = request_handler.hyas_lookup(endpoint, EMAIL_PARAM, attribute_value)
+            if enrich_response:
+                has_results = True
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in phone_query_input_type:
+        for endpoint in HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST:
+            enrich_response = request_handler.hyas_lookup(endpoint, PHONE_PARAM, attribute_value)
+            if enrich_response:
+                has_results = True
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in md5_query_input_type:
+        md5_param = MD5_PARAM
+        for endpoint in HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST:
+            if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                md5_param = HASH_PARAM
+            enrich_response = request_handler.hyas_lookup(endpoint, md5_param, attribute_value)
+            if enrich_response:
+                has_results = True
+                if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in sha1_query_input_type:
+        sha1_param = SHA1_PARAM
+        for endpoint in HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST:
+            if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                sha1_param = HASH_PARAM
+            elif endpoint == SSL_CERTIFICATE_ENDPOINT:
+                sha1_param = HASH_PARAM
+            enrich_response = request_handler.hyas_lookup(endpoint, sha1_param, attribute_value)
+
+            if enrich_response:
+                has_results = True
+                if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in sha256_query_input_type:
+        sha256_param = SHA256_PARAM
+        for endpoint in HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST:
+            if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                sha256_param = HASH_PARAM
+            enrich_response = request_handler.hyas_lookup(endpoint, sha256_param, attribute_value)
+            if enrich_response:
+                has_results = True
+                if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+    elif attribute_type in sha512_query_input_type:
+        sha512_param = ''
+        for endpoint in HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST:
+            if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                sha512_param = HASH_PARAM
+            enrich_response = request_handler.hyas_lookup(endpoint, sha512_param, attribute_value)
+            if enrich_response:
+                has_results = True
+                if endpoint == MALWARE_INFORMATION_ENDPOINT:
+                    enrich_response = malware_info_lookup_to_markdown(enrich_response)
+                parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
+
+    if has_results:
+        return parser.get_results()
+    else:
+        return {'error': 'No records found in HYAS Insight for the provided attribute.'}
+
+
+def introspection():
+    """The function that returns a dict of the supported attributes (input and output) by your expansion module."""
+    return mispattributes
+
+
+def version():
+    """The function that returns a dict with the version and the associated meta-data including potential
+    configurations required of the module. """
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
diff --git a/misp_modules/modules/expansion/intel471.py b/misp_modules/modules/expansion/intel471.py
index bf95b2e3..a8127c7a 100755
--- a/misp_modules/modules/expansion/intel471.py
+++ b/misp_modules/modules/expansion/intel471.py
@@ -5,8 +5,20 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['hostname', 'domain', 'url', 'ip-src', 'ip-dst', 'email-src',
                             'email-dst', 'target-email', 'whois-registrant-email',
                             'whois-registrant-name', 'md5', 'sha1', 'sha256'], 'output': ['freetext']}
-moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', 'description': 'Module to access Intel 471',
-              'module-type': ['hover', 'expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Raphaël Vinot',
+    'description': 'Module to access Intel 471',
+    'module-type': ['hover', 'expansion'],
+    'name': 'Intel471 Lookup',
+    'logo': 'intel471.png',
+    'requirements': ['The intel471 python library'],
+    'features': 'The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it.',
+    'references': ['https://public.intel471.com/'],
+    'input': 'A MISP attribute whose type is included in the following list:\n- hostname\n- domain\n- url\n- ip-src\n- ip-dst\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- md5\n- sha1\n- sha256',
+    'output': 'Freetext',
+    'descrption': 'An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.',
+}
 moduleconfig = ['email', 'authkey']
 
 
diff --git a/misp_modules/modules/expansion/ip2locationio.py b/misp_modules/modules/expansion/ip2locationio.py
index 5303b15c..607ff042 100644
--- a/misp_modules/modules/expansion/ip2locationio.py
+++ b/misp_modules/modules/expansion/ip2locationio.py
@@ -10,8 +10,15 @@ mispattributes = {
 moduleinfo = {
     'version': 1,
     'author': 'IP2Location.io',
-    'description': 'An expansion module to query IP2Location.io for additional information on an IP address',
-    'module-type': ['expansion', 'hover']
+    'description': 'An expansion module to query IP2Location.io to gather more information on a given IP address.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'IP2Location.io Lookup',
+    'logo': 'ip2locationio.png',
+    'requirements': ['An IP2Location.io token'],
+    'features': 'The module takes an IP address attribute as input and queries the IP2Location.io API.  \nFree plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address. \n Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan. \n\nMore information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation).',
+    'references': ['https://www.ip2location.io/ip2location-documentation'],
+    'input': 'IP address attribute.',
+    'output': 'Additional information on the IP address, such as geolocation, proxy and so on. Refer to the Response Format section in https://www.ip2location.io/ip2location-documentation to find out the full format of the data returned.',
 }
 moduleconfig = ['key']
 
diff --git a/misp_modules/modules/expansion/ipasn.py b/misp_modules/modules/expansion/ipasn.py
index 86ad3633..8f7948d4 100755
--- a/misp_modules/modules/expansion/ipasn.py
+++ b/misp_modules/modules/expansion/ipasn.py
@@ -7,7 +7,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'ip'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.3', 'author': 'Raphaël Vinot', 'description': 'Query an IP ASN history service (https://github.com/D4-project/IPASN-History?tab=readme-ov-file)', 'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.3',
+    'author': 'Raphaël Vinot',
+    'description': 'Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).',
+    'module-type': ['expansion', 'hover'],
+    'name': 'IPASN-History Lookup',
+    'logo': '',
+    'requirements': ['pyipasnhistory: Python library to access IPASN-history instance'],
+    'features': 'This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object.',
+    'references': ['https://github.com/D4-project/IPASN-History'],
+    'input': 'An IP address MISP attribute.',
+    'output': 'Asn object(s) objects related to the IP address used as input.',
+}
 
 
 def parse_result(attribute, values):
diff --git a/misp_modules/modules/expansion/ipinfo.py b/misp_modules/modules/expansion/ipinfo.py
index e83f4ad8..6fb0ca27 100644
--- a/misp_modules/modules/expansion/ipinfo.py
+++ b/misp_modules/modules/expansion/ipinfo.py
@@ -10,8 +10,15 @@ mispattributes = {
 moduleinfo = {
     'version': 1,
     'author': 'Christian Studer',
-    'description': 'An expansion module to query ipinfo.io for additional information on an IP address',
-    'module-type': ['expansion', 'hover']
+    'description': 'An expansion module to query ipinfo.io to gather more information on a given IP address.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'IPInfo.io Lookup',
+    'logo': 'ipinfo.png',
+    'requirements': ['An ipinfo.io token'],
+    'features': 'The module takes an IP address attribute as input and queries the ipinfo.io API.  \nThe geolocation information on the IP address is always returned.\n\nDepending on the subscription plan, the API returns different pieces of information then:\n- With a basic plan (free) you get the AS number and the AS organisation name concatenated in the `org` field.\n- With a paid subscription, the AS information is returned in the `asn` field with additional AS information, and depending on which plan the user has, you can also get information on the privacy method used to protect the IP address, the related domains, or the point of contact related to the IP address in case of an abuse.\n\nMore information on the responses content is available in the [documentation](https://ipinfo.io/developers).',
+    'references': ['https://ipinfo.io/developers'],
+    'input': 'IP address attribute.',
+    'output': 'Additional information on the IP address, like its geolocation, the autonomous system it is included in, and the related domain(s).',
 }
 moduleconfig = ['token']
 
@@ -87,7 +94,7 @@ def handler(q=False):
         asn.add_attribute('asn', as_value)
         asn.add_attribute('description', ' '.join(description))
         misp_event.add_object(asn)
-    
+
 
     # Return the results in MISP format
     event = json.loads(misp_event.to_json())
diff --git a/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py b/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py
index bb582849..68063775 100644
--- a/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py
+++ b/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py
@@ -1,627 +1,633 @@
-import json
-import logging
-import requests
-from requests.exceptions import (
-    HTTPError,
-    ProxyError,
-    InvalidURL,
-    ConnectTimeout
-)
-from . import check_input_attribute, standard_error_message
-from pymisp import MISPEvent, MISPAttribute, MISPObject, MISPTag, Distribution
-
-ip_query_input_type = [
-    'ip-src',
-    'ip-dst'
-]
-url_query_input_type = [
-    'hostname',
-    'domain',
-    'url',
-    'uri'
-]
-email_query_input_type = [
-    'email',
-    'email-src',
-    'email-dst',
-    'target-email',
-    'whois-registrant-email'
-]
-phone_query_input_type = [
-    'phone-number',
-    'whois-registrant-phone'
-]
-
-misperrors = {
-    'error': 'Error'
-}
-mispattributes = {
-    'input': ip_query_input_type + url_query_input_type + email_query_input_type + phone_query_input_type,
-    'format': 'misp_standard'
-}
-moduleinfo = {
-    'version': '0.1',
-    'author': 'David Mackler',
-    'description': 'IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation,'
-                   'Malicious Domain and Malicious URL Scanner.',
-    'module-type': ['expansion', 'hover']
-}
-moduleconfig = ['apikey']
-
-logger = logging.getLogger('ipqualityscore')
-logger.setLevel(logging.DEBUG)
-BASE_URL = 'https://ipqualityscore.com/api/json'
-DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value
-IP_ENRICH = 'ip'
-URL_ENRICH = 'url'
-EMAIL_ENRICH = 'email'
-PHONE_ENRICH = 'phone'
-
-
-class RequestHandler:
-    """A class for handling any outbound requests from this module."""
-
-    def __init__(self, apikey):
-        self.session = requests.Session()
-        self.api_key = apikey
-
-    def get(self, url: str, headers: dict = None, params: dict = None) -> requests.Response:
-        """General get method to fetch the response from IPQualityScore."""
-        try:
-            response = self.session.get(
-                url, headers=headers, params=params
-            ).json()
-            if str(response["success"]) != "True":
-                msg = response["message"]
-                logger.error(f"Error: {msg}")
-                misperrors["error"] = msg
-            else:
-                return response
-        except (ConnectTimeout, ProxyError, InvalidURL) as error:
-            msg = "Error connecting with the IPQualityScore."
-            logger.error(f"{msg} Error: {error}")
-            misperrors["error"] = msg
-
-    def ipqs_lookup(self, reputation_type: str, ioc: str) -> requests.Response:
-        """Do a lookup call."""
-        url = f"{BASE_URL}/{reputation_type}"
-        payload = {reputation_type: ioc}
-        headers = {"IPQS-KEY": self.api_key}
-        try:
-            response = self.get(url, headers, payload)
-        except HTTPError as error:
-            msg = f"Error when requesting data from IPQualityScore. {error.response}: {error.response.reason}"
-            logger.error(msg)
-            misperrors["error"] = msg
-            raise
-        return response
-
-
-def parse_attribute(comment, feature, value):
-    """Generic Method for parsing the attributes in the object"""
-    attribute = {
-        'type': 'text',
-        'value': value,
-        'comment': comment,
-        'distribution': DEFAULT_DISTRIBUTION_SETTING,
-        'object_relation': feature
-    }
-    return attribute
-
-
-class IPQualityScoreParser:
-    """A class for handling the enrichment objects"""
-
-    def __init__(self, attribute):
-        self.rf_white = "#CCCCCC"
-        self.rf_grey = " #CDCDCD"
-        self.rf_yellow = "#FFCF00"
-        self.rf_red = "#D10028"
-        self.clean = "CLEAN"
-        self.low = "LOW RISK"
-        self.medium = "MODERATE RISK"
-        self.high = "HIGH RISK"
-        self.critical = "CRITICAL"
-        self.invalid = "INVALID"
-        self.suspicious = "SUSPICIOUS"
-        self.malware = "CRITICAL"
-        self.phishing = "CRITICAL"
-        self.disposable = "CRITICAL"
-        self.attribute = attribute
-        self.misp_event = MISPEvent()
-        self.misp_event.add_attribute(**attribute)
-        self.ipqs_object = MISPObject('IPQS Fraud and Risk Scoring Object')
-        self.ipqs_object.template_uuid = "57d066e6-6d66-42a7-a1ad-e075e39b2b5e"
-        self.ipqs_object.template_id = "1"
-        self.ipqs_object.description = "IPQS Fraud and Risk Scoring Data"
-        setattr(self.ipqs_object, 'meta-category', 'network')
-        description = (
-            "An object containing the enriched attribute and "
-            "related entities from IPQualityScore."
-        )
-        self.ipqs_object.from_dict(
-            **{"meta-category": "misc", "description": description, "distribution": DEFAULT_DISTRIBUTION_SETTING}
-        )
-
-        temp_attr = MISPAttribute()
-        temp_attr.from_dict(**attribute)
-        self.enriched_attribute = MISPAttribute()
-        self.enriched_attribute.from_dict(
-            **{"value": temp_attr.value, "type": temp_attr.type, "distribution": DEFAULT_DISTRIBUTION_SETTING}
-        )
-        self.ipqs_object.distribution = DEFAULT_DISTRIBUTION_SETTING
-        self.ip_data_items = [
-            'fraud_score',
-            'country_code',
-            'region',
-            'city',
-            'zip_code',
-            'ISP',
-            'ASN',
-            'organization',
-            'is_crawler',
-            'timezone',
-            'mobile',
-            'host',
-            'proxy',
-            'vpn',
-            'tor',
-            'active_vpn',
-            'active_tor',
-            'recent_abuse',
-            'bot_status',
-            'connection_type',
-            'abuse_velocity',
-            'latitude',
-            'longitude'
-        ]
-        self.ip_data_items_friendly_names = {
-            'fraud_score': 'IPQS: Fraud Score',
-            'country_code': 'IPQS: Country Code',
-            'region': 'IPQS: Region',
-            'city': 'IPQS: City',
-            'zip_code': 'IPQS: Zip Code',
-            'ISP': 'IPQS: ISP',
-            'ASN': 'IPQS: ASN',
-            'organization': 'IPQS: Organization',
-            'is_crawler': 'IPQS: Is Crawler',
-            'timezone': 'IPQS: Timezone',
-            'mobile': 'IPQS: Mobile',
-            'host': 'IPQS: Host',
-            'proxy': 'IPQS: Proxy',
-            'vpn': 'IPQS: VPN',
-            'tor': 'IPQS: TOR',
-            'active_vpn': 'IPQS: Active VPN',
-            'active_tor': 'IPQS: Active TOR',
-            'recent_abuse': 'IPQS: Recent Abuse',
-            'bot_status': 'IPQS: Bot Status',
-            'connection_type': 'IPQS: Connection Type',
-            'abuse_velocity': 'IPQS: Abuse Velocity',
-            'latitude': 'IPQS: Latitude',
-            'longitude': 'IPQS: Longitude'
-        }
-        self.url_data_items = [
-            'unsafe',
-            'domain',
-            'ip_address',
-            'server',
-            'domain_rank',
-            'dns_valid',
-            'parking',
-            'spamming',
-            'malware',
-            'phishing',
-            'suspicious',
-            'adult',
-            'risk_score',
-            'category',
-            'domain_age'
-        ]
-        self.url_data_items_friendly_names = {
-            'unsafe': 'IPQS: Unsafe',
-            'domain': 'IPQS: Domain',
-            'ip_address': 'IPQS: IP Address',
-            'server': 'IPQS: Server',
-            'domain_rank': 'IPQS: Domain Rank',
-            'dns_valid': 'IPQS: DNS Valid',
-            'parking': 'IPQS: Parking',
-            'spamming': 'IPQS: Spamming',
-            'malware': 'IPQS: Malware',
-            'phishing': 'IPQS: Phishing',
-            'suspicious': 'IPQS: Suspicious',
-            'adult': 'IPQS: Adult',
-            'risk_score': 'IPQS: Risk Score',
-            'category': 'IPQS: Category',
-            'domain_age': 'IPQS: Domain Age'
-        }
-        self.email_data_items = [
-            'valid',
-            'disposable',
-            'smtp_score',
-            'overall_score',
-            'first_name',
-            'generic',
-            'common',
-            'dns_valid',
-            'honeypot',
-            'deliverability',
-            'frequent_complainer',
-            'spam_trap_score',
-            'catch_all',
-            'timed_out',
-            'suspect',
-            'recent_abuse',
-            'fraud_score',
-            'suggested_domain',
-            'leaked',
-            'sanitized_email',
-            'domain_age',
-            'first_seen'
-        ]
-        self.email_data_items_friendly_names = {
-            'valid': 'IPQS: Valid',
-            'disposable': 'IPQS: Disposable',
-            'smtp_score': 'IPQS: SMTP Score',
-            'overall_score': 'IPQS: Overall Score',
-            'first_name': 'IPQS: First Name',
-            'generic': 'IPQS: Generic',
-            'common': 'IPQS: Common',
-            'dns_valid': 'IPQS: DNS Valid',
-            'honeypot': 'IPQS: Honeypot',
-            'deliverability': 'IPQS: Deliverability',
-            'frequent_complainer': 'IPQS: Frequent Complainer',
-            'spam_trap_score': 'IPQS: Spam Trap Score',
-            'catch_all': 'IPQS: Catch All',
-            'timed_out': 'IPQS: Timed Out',
-            'suspect': 'IPQS: Suspect',
-            'recent_abuse': 'IPQS: Recent Abuse',
-            'fraud_score': 'IPQS: Fraud Score',
-            'suggested_domain': 'IPQS: Suggested Domain',
-            'leaked': 'IPQS: Leaked',
-            'sanitized_email': 'IPQS: Sanitized Email',
-            'domain_age': 'IPQS: Domain Age',
-            'first_seen': 'IPQS: First Seen'
-        }
-        self.phone_data_items = [
-            'formatted',
-            'local_format',
-            'valid',
-            'fraud_score',
-            'recent_abuse',
-            'VOIP',
-            'prepaid',
-            'risky',
-            'active',
-            'carrier',
-            'line_type',
-            'country',
-            'city',
-            'zip_code',
-            'region',
-            'dialing_code',
-            'active_status',
-            'leaked',
-            'name',
-            'timezone',
-            'do_not_call',
-        ]
-        self.phone_data_items_friendly_names = {
-            'formatted': 'IPQS: Formatted',
-            'local_format': 'IPQS: Local Format',
-            'valid': 'IPQS: Valid',
-            'fraud_score': 'IPQS: Fraud Score',
-            'recent_abuse': 'IPQS: Recent Abuse',
-            'VOIP': 'IPQS: VOIP',
-            'prepaid': 'IPQS: Prepaid',
-            'risky': 'IPQS: Risky',
-            'active': 'IPQS: Active',
-            'carrier': 'IPQS: Carrier',
-            'line_type': 'IPQS: Line Type',
-            'country': 'IPQS: Country',
-            'city': 'IPQS: City',
-            'zip_code': 'IPQS: Zip Code',
-            'region': 'IPQS: Region',
-            'dialing_code': 'IPQS: Dialing Code',
-            'active_status': 'IPQS: Active Status',
-            'leaked': 'IPQS: Leaked',
-            'name': 'IPQS: Name',
-            'timezone': 'IPQS: Timezone',
-            'do_not_call': 'IPQS: Do Not Call',
-        }
-        self.timestamp_items_friendly_name = {
-            'human': ' Human',
-            'timestamp': ' Timestamp',
-            'iso': ' ISO'
-        }
-        self.timestamp_items = [
-            'human',
-            'timestamp',
-            'iso'
-        ]
-
-    def criticality_color(self, criticality) -> str:
-        """method which maps the color to the criticality level"""
-        mapper = {
-            self.clean: self.rf_grey,
-            self.low: self.rf_grey,
-            self.medium: self.rf_yellow,
-            self.suspicious: self.rf_yellow,
-            self.high: self.rf_red,
-            self.critical: self.rf_red,
-            self.invalid: self.rf_red,
-            self.disposable: self.rf_red,
-            self.malware: self.rf_red,
-            self.phishing: self.rf_red
-        }
-        return mapper.get(criticality, self.rf_white)
-
-    def add_tag(self, tag_name: str, hex_color: str = None) -> None:
-        """Helper method for adding a tag to the enriched attribute."""
-        tag = MISPTag()
-        tag_properties = {"name": tag_name}
-        if hex_color:
-            tag_properties["colour"] = hex_color
-        tag.from_dict(**tag_properties)
-        self.enriched_attribute.add_tag(tag)
-
-    def ipqs_parser(self, query_response, enrich_type):
-        """ helper method to call the enrichment function according to the type"""
-        if enrich_type == IP_ENRICH:
-            self.ip_reputation_data(query_response)
-        elif enrich_type == URL_ENRICH:
-            self.url_reputation_data(query_response)
-        elif enrich_type == EMAIL_ENRICH:
-            self.email_reputation_data(query_response)
-        elif enrich_type == PHONE_ENRICH:
-            self.phone_reputation_data(query_response)
-
-    def ip_reputation_data(self, query_response):
-        """method to create object for IP address"""
-        comment = "Results from IPQualityScore IP Reputation API"
-        for ip_data_item in self.ip_data_items:
-            if ip_data_item in query_response:
-                data_item = self.ip_data_items_friendly_names[ip_data_item]
-                data_item_value = str(query_response[ip_data_item])
-                self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
-                if ip_data_item == "fraud_score":
-                    fraud_score = int(data_item_value)
-                    self.ip_address_risk_scoring(fraud_score)
-
-        self.ipqs_object.add_attribute(
-            "Enriched attribute", **self.enriched_attribute
-        )
-        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
-        self.misp_event.add_object(self.ipqs_object)
-
-    def ip_address_risk_scoring(self, score):
-        """method to create calculate verdict for IP Address"""
-        risk_criticality = ""
-        if score == 100:
-            risk_criticality = self.critical
-        elif 85 <= score <= 99:
-            risk_criticality = self.high
-        elif 75 <= score <= 84:
-            risk_criticality = self.medium
-        elif 60 <= score <= 74:
-            risk_criticality = self.suspicious
-        elif score <= 59:
-            risk_criticality = self.clean
-
-        hex_color = self.criticality_color(risk_criticality)
-        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
-        self.add_tag(tag_name, hex_color)
-
-    def url_reputation_data(self, query_response):
-        """method to create object for URL/Domain"""
-        malware = False
-        phishing = False
-        risk_score = 0
-        comment = "Results from IPQualityScore Malicious URL Scanner API"
-        for url_data_item in self.url_data_items:
-            if url_data_item in query_response:
-                data_item_value = ""
-                if url_data_item == "domain_age":
-                    for timestamp_item in self.timestamp_items:
-                        data_item = self.url_data_items_friendly_names[url_data_item] + \
-                                    self.timestamp_items_friendly_name[timestamp_item]
-                        data_item_value = str(query_response[url_data_item][timestamp_item])
-                        self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
-                else:
-                    data_item = self.url_data_items_friendly_names[url_data_item]
-                    data_item_value = str(query_response[url_data_item])
-                    self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
-
-                if url_data_item == "malware":
-                    malware = data_item_value
-                if url_data_item == "phishing":
-                    phishing = data_item_value
-                if url_data_item == "risk_score":
-                    risk_score = int(data_item_value)
-
-        self.url_risk_scoring(risk_score, malware, phishing)
-        self.ipqs_object.add_attribute(
-            "Enriched attribute", **self.enriched_attribute
-        )
-        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
-        self.misp_event.add_object(self.ipqs_object)
-
-    def url_risk_scoring(self, score, malware, phishing):
-        """method to create calculate verdict for URL/Domain"""
-        risk_criticality = ""
-        if malware == 'True':
-            risk_criticality = self.malware
-        elif phishing == 'True':
-            risk_criticality = self.phishing
-        elif score >= 90:
-            risk_criticality = self.high
-        elif 80 <= score <= 89:
-            risk_criticality = self.medium
-        elif 70 <= score <= 79:
-            risk_criticality = self.low
-        elif 55 <= score <= 69:
-            risk_criticality = self.suspicious
-        elif score <= 54:
-            risk_criticality = self.clean
-
-        hex_color = self.criticality_color(risk_criticality)
-        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
-        self.add_tag(tag_name, hex_color)
-
-    def email_reputation_data(self, query_response):
-        """method to create object for Email Address"""
-        comment = "Results from IPQualityScore Email Verification API"
-        disposable = False
-        valid = False
-        fraud_score = 0
-        for email_data_item in self.email_data_items:
-            if email_data_item in query_response:
-                data_item_value = ""
-                if email_data_item not in ("domain_age", "first_seen"):
-                    data_item = self.email_data_items_friendly_names[email_data_item]
-                    data_item_value = str(query_response[email_data_item])
-                    self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
-                else:
-                    for timestamp_item in self.timestamp_items:
-                        data_item = self.email_data_items_friendly_names[email_data_item] + \
-                                    self.timestamp_items_friendly_name[timestamp_item]
-                        data_item_value = str(query_response[email_data_item][timestamp_item])
-                        self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
-
-                if email_data_item == "disposable":
-                    disposable = data_item_value
-                if email_data_item == "valid":
-                    valid = data_item_value
-                if email_data_item == "fraud_score":
-                    fraud_score = int(data_item_value)
-
-        self.email_address_risk_scoring(fraud_score, disposable, valid)
-        self.ipqs_object.add_attribute(
-            "Enriched attribute", **self.enriched_attribute
-        )
-        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
-        self.misp_event.add_object(self.ipqs_object)
-
-    def email_address_risk_scoring(self, score, disposable, valid):
-        """method to create calculate verdict for Email Address"""
-        risk_criticality = ""
-        if disposable == "True":
-            risk_criticality = self.disposable
-        elif valid == "False":
-            risk_criticality = self.invalid
-        elif score == 100:
-            risk_criticality = self.high
-        elif 88 <= score <= 99:
-            risk_criticality = self.medium
-        elif 80 <= score <= 87:
-            risk_criticality = self.low
-        elif score <= 79:
-            risk_criticality = self.clean
-        hex_color = self.criticality_color(risk_criticality)
-        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
-
-        self.add_tag(tag_name, hex_color)
-
-    def phone_reputation_data(self, query_response):
-        """method to create object for Phone Number"""
-        fraud_score = 0
-        valid = False
-        active = False
-        comment = "Results from IPQualityScore Phone Number Validation API"
-        for phone_data_item in self.phone_data_items:
-            if phone_data_item in query_response:
-                data_item = self.phone_data_items_friendly_names[phone_data_item]
-                data_item_value = str(query_response[phone_data_item])
-                self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
-                if phone_data_item == "active":
-                    active = data_item_value
-                if phone_data_item == "valid":
-                    valid = data_item_value
-                if phone_data_item == "fraud_score":
-                    fraud_score = int(data_item_value)
-
-
-        self.phone_address_risk_scoring(fraud_score, valid, active)
-        self.ipqs_object.add_attribute(
-            "Enriched attribute", **self.enriched_attribute
-        )
-        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
-        self.misp_event.add_object(self.ipqs_object)
-
-    def phone_address_risk_scoring(self, score, valid, active):
-        """method to create calculate verdict for Phone Number"""
-        risk_criticality = ""
-        if valid == "False":
-            risk_criticality = self.medium
-        elif active == "False":
-            risk_criticality = self.medium
-        elif 90 <= score <= 100:
-            risk_criticality = self.high
-        elif 80 <= score <= 89:
-            risk_criticality = self.low
-        elif 50 <= score <= 79:
-            risk_criticality = self.suspicious
-        elif score <= 49:
-            risk_criticality = self.clean
-        hex_color = self.criticality_color(risk_criticality)
-        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
-        self.add_tag(tag_name, hex_color)
-
-    def get_results(self):
-        """returns the dictionary object to MISP Instance"""
-        event = json.loads(self.misp_event.to_json())
-        results = {key: event[key] for key in ('Attribute', 'Object')}
-        return {'results': results}
-
-
-def handler(q=False):
-    """The function which accepts a JSON document to expand the values and return a dictionary of the expanded
-    values. """
-    if q is False:
-        return False
-    request = json.loads(q)
-    # check if the apikey is provided
-    if not request.get('config') or not request['config'].get('apikey'):
-        misperrors['error'] = 'IPQualityScore apikey is missing'
-        return misperrors
-    apikey = request['config'].get('apikey')
-    # check attribute is added to the event   
-    if not request.get('attribute') or not check_input_attribute(request['attribute']):
-        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
-
-    attribute = request['attribute']
-    attribute_type = attribute['type']
-    attribute_value = attribute['value']
-
-    # check if the attribute type is supported by IPQualityScore
-    if attribute_type not in mispattributes['input']:
-        return {'error': 'Unsupported attributes type for IPqualityScore Enrichment'}
-    request_handler = RequestHandler(apikey)
-    enrich_type = ""
-    if attribute_type in ip_query_input_type:
-        enrich_type = IP_ENRICH
-        json_response = request_handler.ipqs_lookup(IP_ENRICH, attribute_value)
-    elif attribute_type in url_query_input_type:
-        enrich_type = URL_ENRICH
-        json_response = request_handler.ipqs_lookup(URL_ENRICH, attribute_value)
-    elif attribute_type in email_query_input_type:
-        enrich_type = EMAIL_ENRICH
-        json_response = request_handler.ipqs_lookup(EMAIL_ENRICH, attribute_value)
-    elif attribute_type in phone_query_input_type:
-        enrich_type = PHONE_ENRICH
-        json_response = request_handler.ipqs_lookup(PHONE_ENRICH, attribute_value)
-
-    parser = IPQualityScoreParser(attribute)
-    parser.ipqs_parser(json_response, enrich_type)
-    return parser.get_results()
-
-
-def introspection():
-    """The function that returns a dict of the supported attributes (input and output) by your expansion module."""
-    return mispattributes
-
-
-def version():
-    """The function that returns a dict with the version and the associated meta-data including potential
-    configurations required of the module. """
-    moduleinfo['config'] = moduleconfig
-    return moduleinfo
+import json
+import logging
+import requests
+from requests.exceptions import (
+    HTTPError,
+    ProxyError,
+    InvalidURL,
+    ConnectTimeout
+)
+from . import check_input_attribute, standard_error_message
+from pymisp import MISPEvent, MISPAttribute, MISPObject, MISPTag, Distribution
+
+ip_query_input_type = [
+    'ip-src',
+    'ip-dst'
+]
+url_query_input_type = [
+    'hostname',
+    'domain',
+    'url',
+    'uri'
+]
+email_query_input_type = [
+    'email',
+    'email-src',
+    'email-dst',
+    'target-email',
+    'whois-registrant-email'
+]
+phone_query_input_type = [
+    'phone-number',
+    'whois-registrant-phone'
+]
+
+misperrors = {
+    'error': 'Error'
+}
+mispattributes = {
+    'input': ip_query_input_type + url_query_input_type + email_query_input_type + phone_query_input_type,
+    'format': 'misp_standard'
+}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'David Mackler',
+    'description': 'IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'IPQualityScore Lookup',
+    'logo': 'ipqualityscore.png',
+    'requirements': ['A IPQualityScore API Key.'],
+    'features': 'This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.\n The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. \n The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore.',
+    'references': ['https://www.ipqualityscore.com/'],
+    'input': 'A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).',
+    'output': 'IPQualityScore object, resulting from the query on the IPQualityScore API.',
+}
+moduleconfig = ['apikey']
+
+logger = logging.getLogger('ipqualityscore')
+logger.setLevel(logging.DEBUG)
+BASE_URL = 'https://ipqualityscore.com/api/json'
+DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value
+IP_ENRICH = 'ip'
+URL_ENRICH = 'url'
+EMAIL_ENRICH = 'email'
+PHONE_ENRICH = 'phone'
+
+
+class RequestHandler:
+    """A class for handling any outbound requests from this module."""
+
+    def __init__(self, apikey):
+        self.session = requests.Session()
+        self.api_key = apikey
+
+    def get(self, url: str, headers: dict = None, params: dict = None) -> requests.Response:
+        """General get method to fetch the response from IPQualityScore."""
+        try:
+            response = self.session.get(
+                url, headers=headers, params=params
+            ).json()
+            if str(response["success"]) != "True":
+                msg = response["message"]
+                logger.error(f"Error: {msg}")
+                misperrors["error"] = msg
+            else:
+                return response
+        except (ConnectTimeout, ProxyError, InvalidURL) as error:
+            msg = "Error connecting with the IPQualityScore."
+            logger.error(f"{msg} Error: {error}")
+            misperrors["error"] = msg
+
+    def ipqs_lookup(self, reputation_type: str, ioc: str) -> requests.Response:
+        """Do a lookup call."""
+        url = f"{BASE_URL}/{reputation_type}"
+        payload = {reputation_type: ioc}
+        headers = {"IPQS-KEY": self.api_key}
+        try:
+            response = self.get(url, headers, payload)
+        except HTTPError as error:
+            msg = f"Error when requesting data from IPQualityScore. {error.response}: {error.response.reason}"
+            logger.error(msg)
+            misperrors["error"] = msg
+            raise
+        return response
+
+
+def parse_attribute(comment, feature, value):
+    """Generic Method for parsing the attributes in the object"""
+    attribute = {
+        'type': 'text',
+        'value': value,
+        'comment': comment,
+        'distribution': DEFAULT_DISTRIBUTION_SETTING,
+        'object_relation': feature
+    }
+    return attribute
+
+
+class IPQualityScoreParser:
+    """A class for handling the enrichment objects"""
+
+    def __init__(self, attribute):
+        self.rf_white = "#CCCCCC"
+        self.rf_grey = " #CDCDCD"
+        self.rf_yellow = "#FFCF00"
+        self.rf_red = "#D10028"
+        self.clean = "CLEAN"
+        self.low = "LOW RISK"
+        self.medium = "MODERATE RISK"
+        self.high = "HIGH RISK"
+        self.critical = "CRITICAL"
+        self.invalid = "INVALID"
+        self.suspicious = "SUSPICIOUS"
+        self.malware = "CRITICAL"
+        self.phishing = "CRITICAL"
+        self.disposable = "CRITICAL"
+        self.attribute = attribute
+        self.misp_event = MISPEvent()
+        self.misp_event.add_attribute(**attribute)
+        self.ipqs_object = MISPObject('IPQS Fraud and Risk Scoring Object')
+        self.ipqs_object.template_uuid = "57d066e6-6d66-42a7-a1ad-e075e39b2b5e"
+        self.ipqs_object.template_id = "1"
+        self.ipqs_object.description = "IPQS Fraud and Risk Scoring Data"
+        setattr(self.ipqs_object, 'meta-category', 'network')
+        description = (
+            "An object containing the enriched attribute and "
+            "related entities from IPQualityScore."
+        )
+        self.ipqs_object.from_dict(
+            **{"meta-category": "misc", "description": description, "distribution": DEFAULT_DISTRIBUTION_SETTING}
+        )
+
+        temp_attr = MISPAttribute()
+        temp_attr.from_dict(**attribute)
+        self.enriched_attribute = MISPAttribute()
+        self.enriched_attribute.from_dict(
+            **{"value": temp_attr.value, "type": temp_attr.type, "distribution": DEFAULT_DISTRIBUTION_SETTING}
+        )
+        self.ipqs_object.distribution = DEFAULT_DISTRIBUTION_SETTING
+        self.ip_data_items = [
+            'fraud_score',
+            'country_code',
+            'region',
+            'city',
+            'zip_code',
+            'ISP',
+            'ASN',
+            'organization',
+            'is_crawler',
+            'timezone',
+            'mobile',
+            'host',
+            'proxy',
+            'vpn',
+            'tor',
+            'active_vpn',
+            'active_tor',
+            'recent_abuse',
+            'bot_status',
+            'connection_type',
+            'abuse_velocity',
+            'latitude',
+            'longitude'
+        ]
+        self.ip_data_items_friendly_names = {
+            'fraud_score': 'IPQS: Fraud Score',
+            'country_code': 'IPQS: Country Code',
+            'region': 'IPQS: Region',
+            'city': 'IPQS: City',
+            'zip_code': 'IPQS: Zip Code',
+            'ISP': 'IPQS: ISP',
+            'ASN': 'IPQS: ASN',
+            'organization': 'IPQS: Organization',
+            'is_crawler': 'IPQS: Is Crawler',
+            'timezone': 'IPQS: Timezone',
+            'mobile': 'IPQS: Mobile',
+            'host': 'IPQS: Host',
+            'proxy': 'IPQS: Proxy',
+            'vpn': 'IPQS: VPN',
+            'tor': 'IPQS: TOR',
+            'active_vpn': 'IPQS: Active VPN',
+            'active_tor': 'IPQS: Active TOR',
+            'recent_abuse': 'IPQS: Recent Abuse',
+            'bot_status': 'IPQS: Bot Status',
+            'connection_type': 'IPQS: Connection Type',
+            'abuse_velocity': 'IPQS: Abuse Velocity',
+            'latitude': 'IPQS: Latitude',
+            'longitude': 'IPQS: Longitude'
+        }
+        self.url_data_items = [
+            'unsafe',
+            'domain',
+            'ip_address',
+            'server',
+            'domain_rank',
+            'dns_valid',
+            'parking',
+            'spamming',
+            'malware',
+            'phishing',
+            'suspicious',
+            'adult',
+            'risk_score',
+            'category',
+            'domain_age'
+        ]
+        self.url_data_items_friendly_names = {
+            'unsafe': 'IPQS: Unsafe',
+            'domain': 'IPQS: Domain',
+            'ip_address': 'IPQS: IP Address',
+            'server': 'IPQS: Server',
+            'domain_rank': 'IPQS: Domain Rank',
+            'dns_valid': 'IPQS: DNS Valid',
+            'parking': 'IPQS: Parking',
+            'spamming': 'IPQS: Spamming',
+            'malware': 'IPQS: Malware',
+            'phishing': 'IPQS: Phishing',
+            'suspicious': 'IPQS: Suspicious',
+            'adult': 'IPQS: Adult',
+            'risk_score': 'IPQS: Risk Score',
+            'category': 'IPQS: Category',
+            'domain_age': 'IPQS: Domain Age'
+        }
+        self.email_data_items = [
+            'valid',
+            'disposable',
+            'smtp_score',
+            'overall_score',
+            'first_name',
+            'generic',
+            'common',
+            'dns_valid',
+            'honeypot',
+            'deliverability',
+            'frequent_complainer',
+            'spam_trap_score',
+            'catch_all',
+            'timed_out',
+            'suspect',
+            'recent_abuse',
+            'fraud_score',
+            'suggested_domain',
+            'leaked',
+            'sanitized_email',
+            'domain_age',
+            'first_seen'
+        ]
+        self.email_data_items_friendly_names = {
+            'valid': 'IPQS: Valid',
+            'disposable': 'IPQS: Disposable',
+            'smtp_score': 'IPQS: SMTP Score',
+            'overall_score': 'IPQS: Overall Score',
+            'first_name': 'IPQS: First Name',
+            'generic': 'IPQS: Generic',
+            'common': 'IPQS: Common',
+            'dns_valid': 'IPQS: DNS Valid',
+            'honeypot': 'IPQS: Honeypot',
+            'deliverability': 'IPQS: Deliverability',
+            'frequent_complainer': 'IPQS: Frequent Complainer',
+            'spam_trap_score': 'IPQS: Spam Trap Score',
+            'catch_all': 'IPQS: Catch All',
+            'timed_out': 'IPQS: Timed Out',
+            'suspect': 'IPQS: Suspect',
+            'recent_abuse': 'IPQS: Recent Abuse',
+            'fraud_score': 'IPQS: Fraud Score',
+            'suggested_domain': 'IPQS: Suggested Domain',
+            'leaked': 'IPQS: Leaked',
+            'sanitized_email': 'IPQS: Sanitized Email',
+            'domain_age': 'IPQS: Domain Age',
+            'first_seen': 'IPQS: First Seen'
+        }
+        self.phone_data_items = [
+            'formatted',
+            'local_format',
+            'valid',
+            'fraud_score',
+            'recent_abuse',
+            'VOIP',
+            'prepaid',
+            'risky',
+            'active',
+            'carrier',
+            'line_type',
+            'country',
+            'city',
+            'zip_code',
+            'region',
+            'dialing_code',
+            'active_status',
+            'leaked',
+            'name',
+            'timezone',
+            'do_not_call',
+        ]
+        self.phone_data_items_friendly_names = {
+            'formatted': 'IPQS: Formatted',
+            'local_format': 'IPQS: Local Format',
+            'valid': 'IPQS: Valid',
+            'fraud_score': 'IPQS: Fraud Score',
+            'recent_abuse': 'IPQS: Recent Abuse',
+            'VOIP': 'IPQS: VOIP',
+            'prepaid': 'IPQS: Prepaid',
+            'risky': 'IPQS: Risky',
+            'active': 'IPQS: Active',
+            'carrier': 'IPQS: Carrier',
+            'line_type': 'IPQS: Line Type',
+            'country': 'IPQS: Country',
+            'city': 'IPQS: City',
+            'zip_code': 'IPQS: Zip Code',
+            'region': 'IPQS: Region',
+            'dialing_code': 'IPQS: Dialing Code',
+            'active_status': 'IPQS: Active Status',
+            'leaked': 'IPQS: Leaked',
+            'name': 'IPQS: Name',
+            'timezone': 'IPQS: Timezone',
+            'do_not_call': 'IPQS: Do Not Call',
+        }
+        self.timestamp_items_friendly_name = {
+            'human': ' Human',
+            'timestamp': ' Timestamp',
+            'iso': ' ISO'
+        }
+        self.timestamp_items = [
+            'human',
+            'timestamp',
+            'iso'
+        ]
+
+    def criticality_color(self, criticality) -> str:
+        """method which maps the color to the criticality level"""
+        mapper = {
+            self.clean: self.rf_grey,
+            self.low: self.rf_grey,
+            self.medium: self.rf_yellow,
+            self.suspicious: self.rf_yellow,
+            self.high: self.rf_red,
+            self.critical: self.rf_red,
+            self.invalid: self.rf_red,
+            self.disposable: self.rf_red,
+            self.malware: self.rf_red,
+            self.phishing: self.rf_red
+        }
+        return mapper.get(criticality, self.rf_white)
+
+    def add_tag(self, tag_name: str, hex_color: str = None) -> None:
+        """Helper method for adding a tag to the enriched attribute."""
+        tag = MISPTag()
+        tag_properties = {"name": tag_name}
+        if hex_color:
+            tag_properties["colour"] = hex_color
+        tag.from_dict(**tag_properties)
+        self.enriched_attribute.add_tag(tag)
+
+    def ipqs_parser(self, query_response, enrich_type):
+        """ helper method to call the enrichment function according to the type"""
+        if enrich_type == IP_ENRICH:
+            self.ip_reputation_data(query_response)
+        elif enrich_type == URL_ENRICH:
+            self.url_reputation_data(query_response)
+        elif enrich_type == EMAIL_ENRICH:
+            self.email_reputation_data(query_response)
+        elif enrich_type == PHONE_ENRICH:
+            self.phone_reputation_data(query_response)
+
+    def ip_reputation_data(self, query_response):
+        """method to create object for IP address"""
+        comment = "Results from IPQualityScore IP Reputation API"
+        for ip_data_item in self.ip_data_items:
+            if ip_data_item in query_response:
+                data_item = self.ip_data_items_friendly_names[ip_data_item]
+                data_item_value = str(query_response[ip_data_item])
+                self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
+                if ip_data_item == "fraud_score":
+                    fraud_score = int(data_item_value)
+                    self.ip_address_risk_scoring(fraud_score)
+
+        self.ipqs_object.add_attribute(
+            "Enriched attribute", **self.enriched_attribute
+        )
+        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
+        self.misp_event.add_object(self.ipqs_object)
+
+    def ip_address_risk_scoring(self, score):
+        """method to create calculate verdict for IP Address"""
+        risk_criticality = ""
+        if score == 100:
+            risk_criticality = self.critical
+        elif 85 <= score <= 99:
+            risk_criticality = self.high
+        elif 75 <= score <= 84:
+            risk_criticality = self.medium
+        elif 60 <= score <= 74:
+            risk_criticality = self.suspicious
+        elif score <= 59:
+            risk_criticality = self.clean
+
+        hex_color = self.criticality_color(risk_criticality)
+        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
+        self.add_tag(tag_name, hex_color)
+
+    def url_reputation_data(self, query_response):
+        """method to create object for URL/Domain"""
+        malware = False
+        phishing = False
+        risk_score = 0
+        comment = "Results from IPQualityScore Malicious URL Scanner API"
+        for url_data_item in self.url_data_items:
+            if url_data_item in query_response:
+                data_item_value = ""
+                if url_data_item == "domain_age":
+                    for timestamp_item in self.timestamp_items:
+                        data_item = self.url_data_items_friendly_names[url_data_item] + \
+                                    self.timestamp_items_friendly_name[timestamp_item]
+                        data_item_value = str(query_response[url_data_item][timestamp_item])
+                        self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
+                else:
+                    data_item = self.url_data_items_friendly_names[url_data_item]
+                    data_item_value = str(query_response[url_data_item])
+                    self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
+
+                if url_data_item == "malware":
+                    malware = data_item_value
+                if url_data_item == "phishing":
+                    phishing = data_item_value
+                if url_data_item == "risk_score":
+                    risk_score = int(data_item_value)
+
+        self.url_risk_scoring(risk_score, malware, phishing)
+        self.ipqs_object.add_attribute(
+            "Enriched attribute", **self.enriched_attribute
+        )
+        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
+        self.misp_event.add_object(self.ipqs_object)
+
+    def url_risk_scoring(self, score, malware, phishing):
+        """method to create calculate verdict for URL/Domain"""
+        risk_criticality = ""
+        if malware == 'True':
+            risk_criticality = self.malware
+        elif phishing == 'True':
+            risk_criticality = self.phishing
+        elif score >= 90:
+            risk_criticality = self.high
+        elif 80 <= score <= 89:
+            risk_criticality = self.medium
+        elif 70 <= score <= 79:
+            risk_criticality = self.low
+        elif 55 <= score <= 69:
+            risk_criticality = self.suspicious
+        elif score <= 54:
+            risk_criticality = self.clean
+
+        hex_color = self.criticality_color(risk_criticality)
+        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
+        self.add_tag(tag_name, hex_color)
+
+    def email_reputation_data(self, query_response):
+        """method to create object for Email Address"""
+        comment = "Results from IPQualityScore Email Verification API"
+        disposable = False
+        valid = False
+        fraud_score = 0
+        for email_data_item in self.email_data_items:
+            if email_data_item in query_response:
+                data_item_value = ""
+                if email_data_item not in ("domain_age", "first_seen"):
+                    data_item = self.email_data_items_friendly_names[email_data_item]
+                    data_item_value = str(query_response[email_data_item])
+                    self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
+                else:
+                    for timestamp_item in self.timestamp_items:
+                        data_item = self.email_data_items_friendly_names[email_data_item] + \
+                                    self.timestamp_items_friendly_name[timestamp_item]
+                        data_item_value = str(query_response[email_data_item][timestamp_item])
+                        self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
+
+                if email_data_item == "disposable":
+                    disposable = data_item_value
+                if email_data_item == "valid":
+                    valid = data_item_value
+                if email_data_item == "fraud_score":
+                    fraud_score = int(data_item_value)
+
+        self.email_address_risk_scoring(fraud_score, disposable, valid)
+        self.ipqs_object.add_attribute(
+            "Enriched attribute", **self.enriched_attribute
+        )
+        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
+        self.misp_event.add_object(self.ipqs_object)
+
+    def email_address_risk_scoring(self, score, disposable, valid):
+        """method to create calculate verdict for Email Address"""
+        risk_criticality = ""
+        if disposable == "True":
+            risk_criticality = self.disposable
+        elif valid == "False":
+            risk_criticality = self.invalid
+        elif score == 100:
+            risk_criticality = self.high
+        elif 88 <= score <= 99:
+            risk_criticality = self.medium
+        elif 80 <= score <= 87:
+            risk_criticality = self.low
+        elif score <= 79:
+            risk_criticality = self.clean
+        hex_color = self.criticality_color(risk_criticality)
+        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
+
+        self.add_tag(tag_name, hex_color)
+
+    def phone_reputation_data(self, query_response):
+        """method to create object for Phone Number"""
+        fraud_score = 0
+        valid = False
+        active = False
+        comment = "Results from IPQualityScore Phone Number Validation API"
+        for phone_data_item in self.phone_data_items:
+            if phone_data_item in query_response:
+                data_item = self.phone_data_items_friendly_names[phone_data_item]
+                data_item_value = str(query_response[phone_data_item])
+                self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value))
+                if phone_data_item == "active":
+                    active = data_item_value
+                if phone_data_item == "valid":
+                    valid = data_item_value
+                if phone_data_item == "fraud_score":
+                    fraud_score = int(data_item_value)
+
+
+        self.phone_address_risk_scoring(fraud_score, valid, active)
+        self.ipqs_object.add_attribute(
+            "Enriched attribute", **self.enriched_attribute
+        )
+        self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to')
+        self.misp_event.add_object(self.ipqs_object)
+
+    def phone_address_risk_scoring(self, score, valid, active):
+        """method to create calculate verdict for Phone Number"""
+        risk_criticality = ""
+        if valid == "False":
+            risk_criticality = self.medium
+        elif active == "False":
+            risk_criticality = self.medium
+        elif 90 <= score <= 100:
+            risk_criticality = self.high
+        elif 80 <= score <= 89:
+            risk_criticality = self.low
+        elif 50 <= score <= 79:
+            risk_criticality = self.suspicious
+        elif score <= 49:
+            risk_criticality = self.clean
+        hex_color = self.criticality_color(risk_criticality)
+        tag_name = f'IPQS:VERDICT="{risk_criticality}"'
+        self.add_tag(tag_name, hex_color)
+
+    def get_results(self):
+        """returns the dictionary object to MISP Instance"""
+        event = json.loads(self.misp_event.to_json())
+        results = {key: event[key] for key in ('Attribute', 'Object')}
+        return {'results': results}
+
+
+def handler(q=False):
+    """The function which accepts a JSON document to expand the values and return a dictionary of the expanded
+    values. """
+    if q is False:
+        return False
+    request = json.loads(q)
+    # check if the apikey is provided
+    if not request.get('config') or not request['config'].get('apikey'):
+        misperrors['error'] = 'IPQualityScore apikey is missing'
+        return misperrors
+    apikey = request['config'].get('apikey')
+    # check attribute is added to the event
+    if not request.get('attribute') or not check_input_attribute(request['attribute']):
+        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
+
+    attribute = request['attribute']
+    attribute_type = attribute['type']
+    attribute_value = attribute['value']
+
+    # check if the attribute type is supported by IPQualityScore
+    if attribute_type not in mispattributes['input']:
+        return {'error': 'Unsupported attributes type for IPqualityScore Enrichment'}
+    request_handler = RequestHandler(apikey)
+    enrich_type = ""
+    if attribute_type in ip_query_input_type:
+        enrich_type = IP_ENRICH
+        json_response = request_handler.ipqs_lookup(IP_ENRICH, attribute_value)
+    elif attribute_type in url_query_input_type:
+        enrich_type = URL_ENRICH
+        json_response = request_handler.ipqs_lookup(URL_ENRICH, attribute_value)
+    elif attribute_type in email_query_input_type:
+        enrich_type = EMAIL_ENRICH
+        json_response = request_handler.ipqs_lookup(EMAIL_ENRICH, attribute_value)
+    elif attribute_type in phone_query_input_type:
+        enrich_type = PHONE_ENRICH
+        json_response = request_handler.ipqs_lookup(PHONE_ENRICH, attribute_value)
+
+    parser = IPQualityScoreParser(attribute)
+    parser.ipqs_parser(json_response, enrich_type)
+    return parser.get_results()
+
+
+def introspection():
+    """The function that returns a dict of the supported attributes (input and output) by your expansion module."""
+    return mispattributes
+
+
+def version():
+    """The function that returns a dict with the version and the associated meta-data including potential
+    configurations required of the module. """
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
diff --git a/misp_modules/modules/expansion/iprep.py b/misp_modules/modules/expansion/iprep.py
index 558dbdd7..8a5e959c 100755
--- a/misp_modules/modules/expansion/iprep.py
+++ b/misp_modules/modules/expansion/iprep.py
@@ -6,9 +6,19 @@ import requests
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
-moduleinfo = {'version': '1.0', 'author': 'Keith Faber',
-              'description': 'Query IPRep Data for IP Address',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1.0',
+    'author': 'Keith Faber',
+    'description': 'Module to query IPRep data for IP addresses.',
+    'module-type': ['expansion'],
+    'name': 'IPRep Lookup',
+    'logo': '',
+    'requirements': ['An access to the packetmail API (apikey)'],
+    'features': 'This module takes an IP address attribute as input and queries the database from packetmail.net to get some information about the reputation of the IP.',
+    'references': ['https://github.com/mahesh557/packetmail'],
+    'input': 'An IP address MISP attribute.',
+    'output': 'Text describing additional information about the input after a query on the IPRep API.',
+}
 
 moduleconfig = ['apikey']
 
diff --git a/misp_modules/modules/expansion/jinja_template_rendering.py b/misp_modules/modules/expansion/jinja_template_rendering.py
index 5749abaf..d65cb65b 100755
--- a/misp_modules/modules/expansion/jinja_template_rendering.py
+++ b/misp_modules/modules/expansion/jinja_template_rendering.py
@@ -5,9 +5,19 @@ from jinja2.sandbox import SandboxedEnvironment
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['text'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
-              'description': 'Render the template with the data passed',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sami Mokaddem',
+    'description': 'Render the template with the data passed',
+    'module-type': ['expansion'],
+    'name': 'Ninja Template Rendering',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 default_template = '- Default template -'
 
diff --git a/misp_modules/modules/expansion/joesandbox_query.py b/misp_modules/modules/expansion/joesandbox_query.py
index e3035124..f9c27a51 100644
--- a/misp_modules/modules/expansion/joesandbox_query.py
+++ b/misp_modules/modules/expansion/joesandbox_query.py
@@ -8,9 +8,19 @@ misperrors = {'error': 'Error'}
 
 inputSource = ['link']
 
-moduleinfo = {'version': '0.2', 'author': 'Christian Studer',
-              'description': 'Query Joe Sandbox API with a report URL to get the parsed data.',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Christian Studer',
+    'description': 'Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.',
+    'module-type': ['expansion'],
+    'name': 'Joe Sandbox Import',
+    'logo': 'joesandbox.png',
+    'requirements': ['jbxapi: Joe Sandbox API python3 library'],
+    'features': "Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the import module [joe_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) taking directly the json report as input.\n\nEven if the introspection will allow all kinds of links to call this module, obviously only the ones presenting a sample or url submission in the Joe Sandbox API will return results.\n\nTo make it work you will need to fill the 'apikey' configuration with your Joe Sandbox API key and provide a valid link as input.",
+    'references': ['https://www.joesecurity.org', 'https://www.joesandbox.com/'],
+    'input': 'Link of a Joe Sandbox sample or url submission.',
+    'output': 'MISP attributes & objects parsed from the analysis report.',
+}
 moduleconfig = ['apiurl', 'apikey', 'import_executable', 'import_mitre_attack']
 
 
diff --git a/misp_modules/modules/expansion/joesandbox_submit.py b/misp_modules/modules/expansion/joesandbox_submit.py
index 39b140e2..b124bb7c 100644
--- a/misp_modules/modules/expansion/joesandbox_submit.py
+++ b/misp_modules/modules/expansion/joesandbox_submit.py
@@ -21,10 +21,17 @@ sh.setFormatter(fmt)
 log.addHandler(sh)
 
 moduleinfo = {
-    "version": "1.0",
-    "author": "Joe Security LLC",
-    "description": "Submit files and URLs to Joe Sandbox",
-    "module-type": ["expansion", "hover"]
+    'version': '1.0',
+    'author': 'Joe Security LLC',
+    'description': 'A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Joe Sandbox Submit',
+    'logo': 'joesandbox.png',
+    'requirements': ['jbxapi: Joe Sandbox API python3 library'],
+    'features': 'The module requires a Joe Sandbox API key to submit files or URL, and returns the link of the submitted analysis.\n\nIt is then possible, when the analysis is completed, to query the Joe Sandbox API to get the data related to the analysis, using the [joesandbox_query module](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) directly on this submission link.',
+    'references': ['https://www.joesecurity.org', 'https://www.joesandbox.com/'],
+    'input': 'Sample, url (or domain) to submit to Joe Sandbox for an advanced analysis.',
+    'output': 'Link of the report generated in Joe Sandbox.',
 }
 moduleconfig = [
     "apiurl",
diff --git a/misp_modules/modules/expansion/lastline_query.py b/misp_modules/modules/expansion/lastline_query.py
index 501a0bd8..46310800 100644
--- a/misp_modules/modules/expansion/lastline_query.py
+++ b/misp_modules/modules/expansion/lastline_query.py
@@ -22,10 +22,17 @@ mispattributes = {
 }
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "Stefano Ortolani",
-    "description": "Get a Lastline report from an analysis link.",
-    "module-type": ["expansion"],
+    'version': '0.1',
+    'author': 'Stefano Ortolani',
+    'description': 'Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nQuery Lastline with an analysis link and parse the report into MISP attributes and objects.',
+    'module-type': ['expansion'],
+    'name': 'Lastline Lookup',
+    'logo': 'lastline.png',
+    'requirements': [],
+    'features': 'The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) import module.',
+    'references': ['https://www.lastline.com'],
+    'input': 'Link to a Lastline analysis.',
+    'output': 'MISP attributes and objects parsed from the analysis report.',
 }
 
 moduleconfig = [
diff --git a/misp_modules/modules/expansion/lastline_submit.py b/misp_modules/modules/expansion/lastline_submit.py
index fef165b4..52f15cfc 100644
--- a/misp_modules/modules/expansion/lastline_submit.py
+++ b/misp_modules/modules/expansion/lastline_submit.py
@@ -28,10 +28,17 @@ mispattributes = {
 }
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "Stefano Ortolani",
-    "description": "Submit files and URLs to Lastline analyst",
-    "module-type": ["expansion", "hover"],
+    'version': '0.1',
+    'author': 'Stefano Ortolani',
+    'description': 'Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nModule to submit a file or URL to Lastline.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Lastline Submit',
+    'logo': 'lastline.png',
+    'requirements': [],
+    'features': 'The module requires a Lastline Analysis `api_token` and `key`.\nWhen the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) module.',
+    'references': ['https://www.lastline.com'],
+    'input': 'File or URL to submit to Lastline.',
+    'output': 'Link to the report generated by Lastline.',
 }
 
 moduleconfig = [
diff --git a/misp_modules/modules/expansion/macaddress_io.py b/misp_modules/modules/expansion/macaddress_io.py
index 72f950a7..72e928e0 100644
--- a/misp_modules/modules/expansion/macaddress_io.py
+++ b/misp_modules/modules/expansion/macaddress_io.py
@@ -14,7 +14,14 @@ moduleinfo = {
     'version': '1.0',
     'author': 'CodeLine OY - macaddress.io',
     'description': 'MISP hover module for macaddress.io',
-    'module-type': ['hover']
+    'module-type': ['hover'],
+    'name': 'Macaddress.io Lookup',
+    'logo': 'macaddress_io.png',
+    'requirements': ['maclookup: macaddress.io python library', 'An access to the macaddress.io API (apikey)'],
+    'features': 'This module takes a MAC address attribute as input and queries macaddress.io for additional information.\n\nThis information contains data about:\n- MAC address details\n- Vendor details\n- Block details',
+    'references': ['https://macaddress.io/', 'https://github.com/CodeLineFi/maclookup-python'],
+    'input': 'MAC address MISP attribute.',
+    'output': 'Text containing information on the MAC address fetched from a query on macaddress.io.',
 }
 
 moduleconfig = ['api_key']
diff --git a/misp_modules/modules/expansion/macvendors.py b/misp_modules/modules/expansion/macvendors.py
index bb98366f..3b21dd9e 100644
--- a/misp_modules/modules/expansion/macvendors.py
+++ b/misp_modules/modules/expansion/macvendors.py
@@ -3,7 +3,19 @@ import json
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['mac-address'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Aurélien Schwab', 'description': 'Module to access Macvendors API.', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Aurélien Schwab',
+    'description': 'Module to access Macvendors API.',
+    'module-type': ['hover'],
+    'name': 'Macvendors Lookup',
+    'logo': 'macvendors.png',
+    'requirements': [],
+    'features': 'The module takes a MAC address as input and queries macvendors.com for some information about it. The API returns the name of the vendor related to the address.',
+    'references': ['https://macvendors.com/', 'https://macvendors.com/api'],
+    'input': 'A MAC address.',
+    'output': 'Additional information about the MAC address.',
+}
 moduleconfig = ['user-agent']
 
 macvendors_api_url = 'https://api.macvendors.com/'
diff --git a/misp_modules/modules/expansion/malwarebazaar.py b/misp_modules/modules/expansion/malwarebazaar.py
index 60739e89..5ad90477 100644
--- a/misp_modules/modules/expansion/malwarebazaar.py
+++ b/misp_modules/modules/expansion/malwarebazaar.py
@@ -5,9 +5,19 @@ from pymisp import MISPEvent, MISPObject
 
 mispattributes = {'input': ['md5', 'sha1', 'sha256'],
                   'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
-              'description': 'Query Malware Bazaar to get additional information about the input hash.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'description': 'Query Malware Bazaar to get additional information about the input hash.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Malware Bazaar Lookup',
+    'logo': '',
+    'requirements': [],
+    'features': "The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.\n\nThe module is using the new format of modules able to return object since the result is one or multiple MISP object(s).",
+    'references': ['https://bazaar.abuse.ch/'],
+    'input': 'A hash attribute (md5, sha1 or sha256).',
+    'output': 'File object(s) related to the input attribute found on MALWAREbazaar databases.',
+}
 moduleconfig = []
 
 
diff --git a/misp_modules/modules/expansion/mcafee_insights_enrich.py b/misp_modules/modules/expansion/mcafee_insights_enrich.py
index 8026d7fc..dca67b8b 100644
--- a/misp_modules/modules/expansion/mcafee_insights_enrich.py
+++ b/misp_modules/modules/expansion/mcafee_insights_enrich.py
@@ -14,9 +14,19 @@ mispattributes = {'input': ["md5", "sha1", "sha256"],
                   'format': 'misp_standard'}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'Martin Ohl',
-              'description': 'Lookup McAfee MVISION Insights Details',
-              'module-type': ['hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Martin Ohl',
+    'description': 'Lookup McAfee MVISION Insights Details',
+    'module-type': ['hover'],
+    'name': 'McAfee MVISION Insights Lookup',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ['api_key', 'client_id', 'client_secret']
diff --git a/misp_modules/modules/expansion/mmdb_lookup.py b/misp_modules/modules/expansion/mmdb_lookup.py
index e3a0eff4..21848563 100644
--- a/misp_modules/modules/expansion/mmdb_lookup.py
+++ b/misp_modules/modules/expansion/mmdb_lookup.py
@@ -5,10 +5,19 @@ from pymisp import MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'], 'format': 'misp_standard'}
-moduleinfo = {'version': '1', 'author': 'Jeroen Pinoy',
-              'description': "An expansion module to enrich an ip with geolocation and asn information from an mmdb server "
-                             "such as ip.circl.lu.",
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Jeroen Pinoy',
+    'description': "A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.",
+    'module-type': ['expansion', 'hover'],
+    'name': 'GeoIP Enrichment',
+    'logo': 'circl.png',
+    'requirements': [],
+    'features': 'The module takes an IP address related attribute as input.\n It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required.\n It is also possible to filter results on 1 db_source by configuring db_source_filter.',
+    'references': ['https://data.public.lu/fr/datasets/geo-open-ip-address-geolocation-per-country-in-mmdb-format/', 'https://github.com/adulau/mmdb-server'],
+    'input': 'An IP address attribute (for example ip-src or ip-src|port).',
+    'output': 'Geolocation and asn objects.',
+}
 moduleconfig = ["custom_API", "db_source_filter"]
 mmdblookup_url = 'https://ip.circl.lu/'
 
diff --git a/misp_modules/modules/expansion/mwdb.py b/misp_modules/modules/expansion/mwdb.py
index 66f5fe45..a6fdc1e6 100644
--- a/misp_modules/modules/expansion/mwdb.py
+++ b/misp_modules/modules/expansion/mwdb.py
@@ -11,9 +11,19 @@ from mwdblib import MWDB
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['link']}
-moduleinfo = {'version': '1', 'author': 'Koen Van Impe',
-              'description': 'Module to push malware samples to a MWDB instance',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Koen Van Impe',
+    'description': 'Module to push malware samples to a MWDB instance',
+    'module-type': ['expansion'],
+    'name': 'MWDB Submit',
+    'logo': '',
+    'requirements': ['* mwdblib installed (pip install mwdblib) ; * (optional) keys.py file to add tags of events/attributes to MWDB * (optional) MWDB attribute created for the link back to MISP (defined in mwdb_misp_attribute)'],
+    'features': 'An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute.  * A link to the MWDB attribute is added as an enrichted attribute to the MISP event.',
+    'references': [],
+    'input': 'Attachment or malware sample',
+    'output': 'Link attribute that points to the sample at the MWDB instane',
+}
 
 moduleconfig = ['mwdb_apikey', 'mwdb_url', 'mwdb_misp_attribute', 'mwdb_public', 'include_tags_event', 'include_tags_attribute']
 
diff --git a/misp_modules/modules/expansion/ocr_enrich.py b/misp_modules/modules/expansion/ocr_enrich.py
index ff0a70c7..0fbaea4c 100644
--- a/misp_modules/modules/expansion/ocr_enrich.py
+++ b/misp_modules/modules/expansion/ocr_enrich.py
@@ -7,9 +7,19 @@ import pytesseract
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext']}
-moduleinfo = {'version': '0.2', 'author': 'Sascha Rommelfangen',
-              'description': 'OCR decoder',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to process some optical character recognition on pictures.',
+    'module-type': ['expansion'],
+    'name': 'OCR Enrich',
+    'logo': '',
+    'requirements': ['cv2: The OpenCV python library.'],
+    'features': 'The module takes an attachment attributes as input and process some optical character recognition on it. The text found is then passed to the Freetext importer to extract potential IoCs.',
+    'references': [],
+    'input': 'A picture attachment.',
+    'output': 'Text and freetext fetched from the input picture.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/ods_enrich.py b/misp_modules/modules/expansion/ods_enrich.py
index 575fcfc7..ef73e52e 100644
--- a/misp_modules/modules/expansion/ods_enrich.py
+++ b/misp_modules/modules/expansion/ods_enrich.py
@@ -9,9 +9,19 @@ import logging
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext', 'text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': '.ods to freetext-import IOC extractor',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to extract freetext from a .ods document.',
+    'module-type': ['expansion'],
+    'name': 'ODS Enrich',
+    'logo': 'ods.png',
+    'requirements': ['ezodf: Python package to create/manipulate OpenDocumentFormat files.', 'pandas_ods_reader: Python library to read in ODS files.'],
+    'features': 'The module reads the text contained in a .ods document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
+    'references': [],
+    'input': 'Attachment attribute containing a .ods document.',
+    'output': 'Text and freetext parsed from the document.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/odt_enrich.py b/misp_modules/modules/expansion/odt_enrich.py
index c4513ae8..04d120f2 100644
--- a/misp_modules/modules/expansion/odt_enrich.py
+++ b/misp_modules/modules/expansion/odt_enrich.py
@@ -7,9 +7,19 @@ import io
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext', 'text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': '.odt to freetext-import IOC extractor',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to extract freetext from a .odt document.',
+    'module-type': ['expansion'],
+    'name': 'ODT Enrich',
+    'logo': 'odt.png',
+    'requirements': ['ODT reader python library.'],
+    'features': 'The module reads the text contained in a .odt document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
+    'references': [],
+    'input': 'Attachment attribute containing a .odt document.',
+    'output': 'Text and freetext parsed from the document.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py
index c7777077..29213b46 100644
--- a/misp_modules/modules/expansion/onyphe.py
+++ b/misp_modules/modules/expansion/onyphe.py
@@ -15,9 +15,19 @@ mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
                   'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url'],
                   'format': 'misp_standard'}
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '2', 'author': 'Sebastien Larinier @sebdraven',
-              'description': 'Query on Onyphe',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '2',
+    'author': 'Sebastien Larinier @sebdraven',
+    'description': 'Module to process a query on Onyphe.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Onyphe Lookup',
+    'logo': 'onyphe.jpg',
+    'requirements': ['onyphe python library', 'An access to the Onyphe API (apikey)'],
+    'features': 'This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.',
+    'references': ['https://www.onyphe.io/', 'https://github.com/sebdraven/pyonyphe'],
+    'input': 'A domain, hostname or IP address MISP attribute.',
+    'output': 'MISP attributes fetched from the Onyphe query.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ['apikey']
diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py
index 3b1c554e..417d751d 100644
--- a/misp_modules/modules/expansion/onyphe_full.py
+++ b/misp_modules/modules/expansion/onyphe_full.py
@@ -12,9 +12,19 @@ mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
                   'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
-              'description': 'Query on Onyphe',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Sebastien Larinier @sebdraven',
+    'description': 'Module to process a full query on Onyphe.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Onyphe Full Lookup',
+    'logo': 'onyphe.jpg',
+    'requirements': ['onyphe python library', 'An access to the Onyphe API (apikey)'],
+    'features': 'This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.\n\nThe parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed.',
+    'references': ['https://www.onyphe.io/', 'https://github.com/sebdraven/pyonyphe'],
+    'input': 'A domain, hostname or IP address MISP attribute.',
+    'output': 'MISP attributes fetched from the Onyphe query.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ['apikey']
diff --git a/misp_modules/modules/expansion/otx.py b/misp_modules/modules/expansion/otx.py
index e5861807..97c169fc 100755
--- a/misp_modules/modules/expansion/otx.py
+++ b/misp_modules/modules/expansion/otx.py
@@ -8,9 +8,19 @@ mispattributes = {'input': ["hostname", "domain", "ip-src", "ip-dst", "md5", "sh
                   }
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'chrisdoman',
-              'description': 'Get information from AlienVault OTX',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1',
+    'author': 'chrisdoman',
+    'description': 'Module to get information from AlienVault OTX.',
+    'module-type': ['expansion'],
+    'name': 'AlienVault OTX Lookup',
+    'logo': 'otx.png',
+    'requirements': ['An access to the OTX API (apikey)'],
+    'features': 'This module takes a MISP attribute as input to query the OTX Alienvault API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.',
+    'references': ['https://www.alienvault.com/open-threat-exchange'],
+    'input': 'A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512',
+    'output': 'MISP attributes mapped from the result of the query on OTX, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- email',
+}
 
 # We're not actually using the API key yet
 moduleconfig = ["apikey"]
diff --git a/misp_modules/modules/expansion/passive_ssh.py b/misp_modules/modules/expansion/passive_ssh.py
index bf70ec99..2a3175ab 100644
--- a/misp_modules/modules/expansion/passive_ssh.py
+++ b/misp_modules/modules/expansion/passive_ssh.py
@@ -9,9 +9,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'ssh-fingerprint'],
                   'format': 'misp_standard'}
 
-moduleinfo = {'version': '1', 'author': 'Jean-Louis Huynen',
-              'description': 'An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Jean-Louis Huynen',
+    'description': 'An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Passive SSH Enrichment',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 moduleconfig = ["custom_api_url", "api_user", "api_key"]
 
diff --git a/misp_modules/modules/expansion/passivetotal.py b/misp_modules/modules/expansion/passivetotal.py
index dfcedada..679d434c 100755
--- a/misp_modules/modules/expansion/passivetotal.py
+++ b/misp_modules/modules/expansion/passivetotal.py
@@ -31,7 +31,14 @@ moduleinfo = {
     'version': '1.0',
     'author': 'Brandon Dixon',
     'description': 'The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register',
-    'module-type': ['expansion', 'hover']
+    'module-type': ['expansion', 'hover'],
+    'name': 'PassiveTotal Lookup',
+    'logo': 'passivetotal.png',
+    'requirements': ['Passivetotal python library', 'An access to the PassiveTotal API (apikey)'],
+    'features': 'The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register',
+    'references': ['https://www.passivetotal.org/register'],
+    'input': 'A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- x509-fingerprint-sha1\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-phone\n- text\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date',
+    'output': 'MISP attributes mapped from the result of the query on PassiveTotal, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- x509-fingerprint-sha1\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-phone\n- text\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- md5\n- sha1\n- sha256\n- link',
 }
 moduleconfig = ['username', 'api_key']
 query_playbook = [
diff --git a/misp_modules/modules/expansion/pdf_enrich.py b/misp_modules/modules/expansion/pdf_enrich.py
index ef85fde2..15231c09 100644
--- a/misp_modules/modules/expansion/pdf_enrich.py
+++ b/misp_modules/modules/expansion/pdf_enrich.py
@@ -7,9 +7,19 @@ import io
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext', 'text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': 'PDF to freetext-import IOC extractor',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to extract freetext from a PDF document.',
+    'module-type': ['expansion'],
+    'name': 'PDF Enrich',
+    'logo': 'pdf.jpg',
+    'requirements': ['pdftotext: Python library to extract text from PDF.'],
+    'features': 'The module reads the text contained in a PDF document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
+    'references': [],
+    'input': 'Attachment attribute containing a PDF document.',
+    'output': 'Text and freetext parsed from the document.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/pptx_enrich.py b/misp_modules/modules/expansion/pptx_enrich.py
index 816e4391..4a3b2b5f 100644
--- a/misp_modules/modules/expansion/pptx_enrich.py
+++ b/misp_modules/modules/expansion/pptx_enrich.py
@@ -7,9 +7,19 @@ import io
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext', 'text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': '.pptx to freetext-import IOC extractor',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to extract freetext from a .pptx document.',
+    'module-type': ['expansion'],
+    'name': 'PPTX Enrich',
+    'logo': 'pptx.png',
+    'requirements': ['pptx: Python library to read PowerPoint files.'],
+    'features': 'The module reads the text contained in a .pptx document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
+    'references': [],
+    'input': 'Attachment attribute containing a .pptx document.',
+    'output': 'Text and freetext parsed from the document.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/qintel_qsentry.py b/misp_modules/modules/expansion/qintel_qsentry.py
index 6733b93f..609ed01f 100644
--- a/misp_modules/modules/expansion/qintel_qsentry.py
+++ b/misp_modules/modules/expansion/qintel_qsentry.py
@@ -12,8 +12,16 @@ logger.setLevel(logging.DEBUG)
 moduleinfo = {
     'version': '1.0',
     'author': 'Qintel, LLC',
-    'description': 'Query Qintel QSentry for ip intelligence',
-    'module-type': ['hover', 'expansion']
+    'description': 'A hover and expansion module which queries Qintel QSentry for ip reputation data',
+    'module-type': ['hover', 'expansion'],
+    'name': 'Qintel QSentry Lookup',
+    'logo': 'qintel.png',
+    'requirements': ['A Qintel API token'],
+    'features': 'This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data',
+    'references': ['https://www.qintel.com/products/qsentry/'],
+    'input': 'ip address attribute',
+    'output': '',
+    'ouput': 'Objects containing the enriched IP, threat tags, last seen attributes and associated Autonomous System information',
 }
 
 moduleconfig = ['token', 'remote']
diff --git a/misp_modules/modules/expansion/qrcode.py b/misp_modules/modules/expansion/qrcode.py
index bb3effdb..a44d311f 100644
--- a/misp_modules/modules/expansion/qrcode.py
+++ b/misp_modules/modules/expansion/qrcode.py
@@ -8,9 +8,19 @@ import np
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['url', 'btc']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': 'QR code decoder',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to decode QR codes.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'QR Code Decode',
+    'logo': '',
+    'requirements': ['cv2: The OpenCV python library.', 'pyzbar: Python library to read QR codes.'],
+    'features': 'The module reads the QR code and returns the related address, which can be an URL or a bitcoin address.',
+    'references': [],
+    'input': 'A QR code stored as attachment attribute.',
+    'output': 'The URL or bitcoin address the QR code is pointing to.',
+}
 
 debug = True
 debug_prefix = "[DEBUG] QR Code module: "
diff --git a/misp_modules/modules/expansion/ransomcoindb.py b/misp_modules/modules/expansion/ransomcoindb.py
index 0e058552..20b5ebfd 100644
--- a/misp_modules/modules/expansion/ransomcoindb.py
+++ b/misp_modules/modules/expansion/ransomcoindb.py
@@ -8,15 +8,26 @@ copyright = """
   This file is part of the ransomwarecoindDB project and licensed under the AGPL 3.0 license
 """
 
-__version__ = 0.1
-
 
 debug = False
 
 misperrors = {'error': 'Error'}
 # mispattributes = {'input': ['sha1', 'sha256', 'md5', 'btc', 'xmr', 'dash' ], 'output': ['btc', 'sha1', 'sha256', 'md5', 'freetext']}
 mispattributes = {'input': ['sha1', 'sha256', 'md5', 'btc'], 'output': ['btc', 'sha1', 'sha256', 'md5', 'freetext'], 'format': 'misp_standard'}
-moduleinfo = {'version': __version__, 'author': 'Aaron Kaplan', 'description': 'Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)', 'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Aaron Kaplan',
+    'description': 'Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)',
+    'module-type': ['expansion', 'hover'],
+    'name': 'RandomcoinDB Lookup',
+    'logo': '',
+    'requirements': ['A ransomcoinDB API key.'],
+    'features': 'The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data.\n\nIf the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes.',
+    'references': ['https://ransomcoindb.concinnity-risks.com'],
+    'input': 'A hash (md5, sha1 or sha256) or btc attribute.',
+    'output': 'Hashes associated to a btc address or btc addresses associated to a hash.',
+    'descrption': 'Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.',
+}
 moduleconfig = ['api-key']
 
 
diff --git a/misp_modules/modules/expansion/rbl.py b/misp_modules/modules/expansion/rbl.py
index d3f661ec..408ca518 100644
--- a/misp_modules/modules/expansion/rbl.py
+++ b/misp_modules/modules/expansion/rbl.py
@@ -9,9 +9,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']}
-moduleinfo = {'version': '0.2', 'author': 'Christian Studer',
-              'description': 'Check an IPv4 address against known RBLs.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Christian Studer',
+    'description': 'Module to check an IPv4 address against known RBLs.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Real-time Blackhost Lists Lookup',
+    'logo': '',
+    'requirements': ['dnspython3: DNS python3 library'],
+    'features': 'This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources.',
+    'references': ['[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)'],
+    'input': 'IP address attribute.',
+    'output': 'Text with additional data from Real-time Blackhost Lists about the IP address.',
+}
 moduleconfig = ['timeout']
 
 rbls = (
diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py
index 8056bfa1..ad6e4c6b 100644
--- a/misp_modules/modules/expansion/recordedfuture.py
+++ b/misp_modules/modules/expansion/recordedfuture.py
@@ -16,10 +16,17 @@ from urllib.parse import quote, urlparse
 from pymisp import MISPAttribute, MISPEvent, MISPTag, MISPObject
 
 moduleinfo = {
-    "version": "2.0.0",
-    "author": "Recorded Future",
-    "description": "Module to retrieve data from Recorded Future",
-    "module-type": ["expansion", "hover"],
+    'version': '2.0.0',
+    'author': 'Recorded Future',
+    'description': 'Module to enrich attributes with threat intelligence from Recorded Future.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Recorded Future Enrich',
+    'logo': 'recordedfuture.png',
+    'requirements': ['A Recorded Future API token.'],
+    'features': "Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes.",
+    'references': ['https://www.recordedfuture.com/'],
+    'input': 'A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.',
+    'output': 'A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute.',
 }
 
 moduleconfig = ["token", "proxy_host", "proxy_port", "proxy_username", "proxy_password"]
diff --git a/misp_modules/modules/expansion/reversedns.py b/misp_modules/modules/expansion/reversedns.py
index 43df562a..5cb795c5 100644
--- a/misp_modules/modules/expansion/reversedns.py
+++ b/misp_modules/modules/expansion/reversedns.py
@@ -5,9 +5,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['hostname']}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '0.1', 'author': 'Andreas Muehlemann',
-              'description': 'Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Andreas Muehlemann',
+    'description': 'Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Reverse DNS',
+    'logo': '',
+    'requirements': ['DNS python library'],
+    'features': 'The module takes an IP address as input and tries to find the hostname this IP address is resolved into.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing IP addresses are supported as well.',
+    'references': [],
+    'input': 'An IP address attribute.',
+    'output': 'Hostname attribute the input is resolved into.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ['nameserver']
diff --git a/misp_modules/modules/expansion/securitytrails.py b/misp_modules/modules/expansion/securitytrails.py
index f5750e1b..ae251c57 100644
--- a/misp_modules/modules/expansion/securitytrails.py
+++ b/misp_modules/modules/expansion/securitytrails.py
@@ -24,9 +24,19 @@ mispattributes = {
                'whois-registrar', 'whois-creation-date', 'domain']
 }
 
-moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
-              'description': 'Query on securitytrails.com',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Sebastien Larinier @sebdraven',
+    'description': 'An expansion modules for SecurityTrails.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'SecurityTrails Lookup',
+    'logo': 'securitytrails.png',
+    'requirements': ['dnstrails python library', 'An access to the SecurityTrails API (apikey)'],
+    'features': 'The module takes a domain, hostname or IP address attribute as input and queries the SecurityTrails API with it.\n\nMultiple parsing operations are then processed on the result of the query to extract a much information as possible.\n\nFrom this data extracted are then mapped MISP attributes.',
+    'references': ['https://securitytrails.com/'],
+    'input': 'A domain, hostname or IP address attribute.',
+    'output': 'MISP attributes resulting from the query on SecurityTrails API, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ['apikey']
diff --git a/misp_modules/modules/expansion/shodan.py b/misp_modules/modules/expansion/shodan.py
index 2ea97499..9c3ab4f4 100755
--- a/misp_modules/modules/expansion/shodan.py
+++ b/misp_modules/modules/expansion/shodan.py
@@ -12,9 +12,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['ip-src', 'ip-dst'],
                   'format': 'misp_standard'}
-moduleinfo = {'version': '0.2', 'author': 'Raphaël Vinot',
-              'description': 'Query on Shodan',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Raphaël Vinot',
+    'description': 'Module to query on Shodan.',
+    'module-type': ['expansion'],
+    'name': 'Shodan Lookup',
+    'logo': 'shodan.png',
+    'requirements': ['shodan python library', 'An access to the Shodan API (apikey)'],
+    'features': 'The module takes an IP address as input and queries the Shodan API to get some additional data about it.',
+    'references': ['https://www.shodan.io/'],
+    'input': 'An IP address MISP attribute.',
+    'output': 'Text with additional data about the input, resulting from the query on Shodan.',
+}
 
 moduleconfig = ['apikey']
 
diff --git a/misp_modules/modules/expansion/sigma_queries.py b/misp_modules/modules/expansion/sigma_queries.py
index d17a1004..41ba9b49 100644
--- a/misp_modules/modules/expansion/sigma_queries.py
+++ b/misp_modules/modules/expansion/sigma_queries.py
@@ -9,8 +9,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['sigma'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['expansion', 'hover'],
-              'description': 'An expansion hover module to display the result of sigma queries.'}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Sigma Rule Converter',
+    'description': 'An expansion hover module to display the result of sigma queries.',
+    'logo': 'sigma.png',
+    'requirements': ['Sigma python library'],
+    'features': 'This module takes a Sigma rule attribute as input and tries all the different queries available to convert it into different formats recognized by SIEMs.',
+    'references': ['https://github.com/Neo23x0/sigma/wiki'],
+    'input': 'A Sigma attribute.',
+    'output': 'Text displaying results of queries on the Sigma attribute.',
+}
 moduleconfig = []
 sigma_targets = ('es-dsl', 'es-qs', 'graylog', 'kibana', 'xpack-watcher', 'logpoint', 'splunk', 'grep', 'mdatp', 'splunkxml', 'arcsight', 'qualys')
 
diff --git a/misp_modules/modules/expansion/sigma_syntax_validator.py b/misp_modules/modules/expansion/sigma_syntax_validator.py
index 658b4d3f..b8739233 100644
--- a/misp_modules/modules/expansion/sigma_syntax_validator.py
+++ b/misp_modules/modules/expansion/sigma_syntax_validator.py
@@ -8,8 +8,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['sigma'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['expansion', 'hover'],
-              'description': 'An expansion hover module to perform a syntax check on sigma rules'}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Sigma Syntax Validator',
+    'description': 'An expansion hover module to perform a syntax check on sigma rules.',
+    'logo': 'sigma.png',
+    'requirements': ['Sigma python library', 'Yaml python library'],
+    'features': 'This module takes a Sigma rule attribute as input and performs a syntax check on it.\n\nIt displays then that the rule is valid if it is the case, and the error related to the rule otherwise.',
+    'references': ['https://github.com/Neo23x0/sigma/wiki'],
+    'input': 'A Sigma attribute.',
+    'output': 'Text describing the validity of the Sigma rule.',
+}
 moduleconfig = []
 
 
diff --git a/misp_modules/modules/expansion/sigmf_expand.py b/misp_modules/modules/expansion/sigmf_expand.py
index e0030385..b7a55a80 100644
--- a/misp_modules/modules/expansion/sigmf_expand.py
+++ b/misp_modules/modules/expansion/sigmf_expand.py
@@ -26,9 +26,19 @@ log.addHandler(sh)
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['sigmf-recording', 'sigmf-archive'], 'output': [
     'MISP objects'], 'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Luciano Righetti',
-              'description': 'Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Luciano Righetti',
+    'description': 'Expands a SigMF Recording object into a SigMF Expanded Recording object, extracts a SigMF archive into a SigMF Recording object.',
+    'module-type': ['expansion'],
+    'name': 'SigMF Expansion',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 
 def get_samples(data_bytes, data_type) -> np.ndarray:
diff --git a/misp_modules/modules/expansion/socialscan.py b/misp_modules/modules/expansion/socialscan.py
index 54f58f6f..8800397b 100644
--- a/misp_modules/modules/expansion/socialscan.py
+++ b/misp_modules/modules/expansion/socialscan.py
@@ -5,8 +5,15 @@ from socialscan.util import sync_execute_queries
 moduleinfo = {
     'version': '1',
     'author': 'Christian Studer',
-    'description': 'Module to query several online platforms to look for existing accounts.',
-    'module-type': ['hover']
+    'description': 'A hover module to get information on the availability of an email address or username on some online platforms.',
+    'module-type': ['hover'],
+    'name': 'Socialscan Lookup',
+    'logo': '',
+    'requirements': ['The socialscan python library'],
+    'features': 'The module takes an email address or username as input and check its availability on some online platforms. The results for each platform are then returned to see if the email address or the username is used, available or if there is an issue with it.',
+    'references': ['https://github.com/iojw/socialscan'],
+    'input': 'An email address or usename attribute.',
+    'output': 'Text containing information about the availability of an email address or a username in some online platforms.',
 }
 mispattributes = {
     'input': [
diff --git a/misp_modules/modules/expansion/sophoslabs_intelix.py b/misp_modules/modules/expansion/sophoslabs_intelix.py
index 4d7c4139..1b0bc9ff 100644
--- a/misp_modules/modules/expansion/sophoslabs_intelix.py
+++ b/misp_modules/modules/expansion/sophoslabs_intelix.py
@@ -5,10 +5,19 @@ from . import check_input_attribute, checking_error, standard_error_message
 from pymisp import MISPEvent, MISPObject
 from urllib.parse import quote
 
-moduleinfo = {'version': '1.0',
-              'author': 'Ben Verschaeren',
-              'description': 'SOPHOSLabs Intelix Integration',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1.0',
+    'author': 'Ben Verschaeren',
+    'description': 'An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.',
+    'module-type': ['expansion'],
+    'name': 'SophosLabs Intelix Lookup',
+    'logo': 'sophoslabs_intelix.svg',
+    'requirements': ['A client_id and client_secret pair to authenticate to the SophosLabs Intelix API'],
+    'features': 'The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object.',
+    'references': ['https://aws.amazon.com/marketplace/pp/B07SLZPMCS'],
+    'input': 'An ip address, url, domain or sha256 attribute.',
+    'output': 'SophosLabs Intelix report and lookup objects',
+}
 
 moduleconfig = ['client_id', 'client_secret']
 
diff --git a/misp_modules/modules/expansion/sourcecache.py b/misp_modules/modules/expansion/sourcecache.py
index b09068bc..18b38e42 100755
--- a/misp_modules/modules/expansion/sourcecache.py
+++ b/misp_modules/modules/expansion/sourcecache.py
@@ -3,7 +3,19 @@ from url_archiver import url_archiver
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['link', 'url'], 'output': ['attachment', 'malware-sample']}
-moduleinfo = {'version': '0.1', 'author': 'Alexandre Dulaunoy', 'description': 'Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.', 'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.',
+    'module-type': ['expansion'],
+    'name': 'URL Archiver',
+    'logo': '',
+    'requirements': ['urlarchiver: python library to fetch and archive URL on the file-system'],
+    'features': 'This module takes a link or url attribute as input and caches the related web page. It returns then a link of the cached page.',
+    'references': ['https://github.com/adulau/url_archiver'],
+    'input': 'A link or url attribute.',
+    'output': 'A malware-sample attribute describing the cached page.',
+}
 moduleconfig = ['archivepath']
 
 
diff --git a/misp_modules/modules/expansion/stairwell.py b/misp_modules/modules/expansion/stairwell.py
index c9acfc89..1421240a 100644
--- a/misp_modules/modules/expansion/stairwell.py
+++ b/misp_modules/modules/expansion/stairwell.py
@@ -19,8 +19,15 @@ mispattributes = {
 moduleinfo = {
     'version': '0.1',
     'author': 'goodlandsecurity',
-    'description': 'Enrich hash observables with the Stairwell API',
-    'module-type': ['expansion']
+    'description': 'Module to query the Stairwell API to get additional information about the input hash attribute',
+    'module-type': ['expansion'],
+    'name': 'Stairwell Lookup',
+    'logo': 'stairwell.png',
+    'requirements': ['Access to Stairwell platform (apikey)'],
+    'features': "The module takes a hash attribute as input and queries Stariwell's API to fetch additional data about it. The result, if the payload is observed in Stariwell, is a file object describing the file the input hash is related to.",
+    'references': ['https://stairwell.com', 'https://docs.stairwell.com'],
+    'input': 'A hash attribute (md5, sha1, sha256).',
+    'output': 'File object related to the input attribute found on Stairwell platform.',
 }
 moduleconfig = ["apikey"]
 
diff --git a/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py b/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py
index 842217ab..15e44ee5 100644
--- a/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py
+++ b/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py
@@ -6,8 +6,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['stix2-pattern'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['hover'],
-              'description': 'An expansion hover module to perform a syntax check on stix2 patterns.'}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'module-type': ['hover'],
+    'name': 'STIX2 Pattern Syntax Validator',
+    'description': 'An expansion hover module to perform a syntax check on stix2 patterns.',
+    'logo': 'stix.png',
+    'requirements': ['stix2patterns python library'],
+    'features': 'This module takes a STIX2 pattern attribute as input and performs a syntax check on it.\n\nIt displays then that the rule is valid if it is the case, and the error related to the rule otherwise.',
+    'references': ['[STIX2.0 patterning specifications](http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.html)'],
+    'input': 'A STIX2 pattern attribute.',
+    'output': 'Text describing the validity of the STIX2 pattern.',
+}
 moduleconfig = []
 
 
diff --git a/misp_modules/modules/expansion/threatcrowd.py b/misp_modules/modules/expansion/threatcrowd.py
index 268832fc..4c795161 100644
--- a/misp_modules/modules/expansion/threatcrowd.py
+++ b/misp_modules/modules/expansion/threatcrowd.py
@@ -8,9 +8,19 @@ mispattributes = {'input': ["hostname", "domain", "ip-src", "ip-dst", "md5", "sh
                   }
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'chrisdoman',
-              'description': 'Get information from ThreatCrowd',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1',
+    'author': 'chrisdoman',
+    'description': 'Module to get information from ThreatCrowd.',
+    'module-type': ['expansion'],
+    'name': 'ThreatCrowd Lookup',
+    'logo': 'threatcrowd.png',
+    'requirements': [],
+    'features': 'This module takes a MISP attribute as input and queries ThreatCrowd with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute.',
+    'references': ['https://www.threatcrowd.org/'],
+    'input': 'A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512\n- whois-registrant-email',
+    'output': 'MISP attributes mapped from the result of the query on ThreatCrowd, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- hostname\n- whois-registrant-email',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/threatfox.py b/misp_modules/modules/expansion/threatfox.py
index 4a899184..ee82e4fd 100644
--- a/misp_modules/modules/expansion/threatfox.py
+++ b/misp_modules/modules/expansion/threatfox.py
@@ -4,7 +4,19 @@ import json
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Corsin Camichel',
+    'description': 'Module to search for an IOC on ThreatFox by abuse.ch.',
+    'module-type': ['hover', 'expansion'],
+    'name': 'ThreadFox Lookup',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 moduleconfig = []
 
 API_URL = "https://threatfox-api.abuse.ch/api/v1/"
diff --git a/misp_modules/modules/expansion/threatminer.py b/misp_modules/modules/expansion/threatminer.py
index 1dd2bd87..090f1fa1 100755
--- a/misp_modules/modules/expansion/threatminer.py
+++ b/misp_modules/modules/expansion/threatminer.py
@@ -9,9 +9,19 @@ mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'md5', 'sh
                   }
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'KX499',
-              'description': 'Get information from ThreatMiner',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '1',
+    'author': 'KX499',
+    'description': 'Module to get information from ThreatMiner.',
+    'module-type': ['expansion'],
+    'name': 'ThreatMiner Lookup',
+    'logo': 'threatminer.png',
+    'requirements': [],
+    'features': 'This module takes a MISP attribute as input and queries ThreatMiner with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute.',
+    'references': ['https://www.threatminer.org/'],
+    'input': 'A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512',
+    'output': 'MISP attributes mapped from the result of the query on ThreatMiner, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- ssdeep\n- authentihash\n- filename\n- whois-registrant-email\n- url\n- link',
+}
 
 
 class ThreatMiner():
diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py
index b7ee2a40..6cbdcb3e 100644
--- a/misp_modules/modules/expansion/trustar_enrich.py
+++ b/misp_modules/modules/expansion/trustar_enrich.py
@@ -12,9 +12,19 @@ mispattributes = {
     'input': ["btc", "domain", "email-src", "filename", "hostname", "ip-src", "ip-dst", "malware-type", "md5", "sha1",
               "sha256", "url"], 'format': 'misp_standard'}
 
-moduleinfo = {'version': "0.1", 'author': "Jesse Hedden",
-              'description': "Enrich data with TruSTAR",
-              'module-type': ["hover", "expansion"]}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Jesse Hedden',
+    'description': 'Module to get enrich indicators with TruSTAR.',
+    'module-type': ['hover', 'expansion'],
+    'name': 'TruSTAR Enrich',
+    'logo': 'trustar.png',
+    'requirements': [],
+    'features': 'This module enriches MISP attributes with scoring and metadata from TruSTAR.\n\nThe TruSTAR indicator summary is appended to the attributes along with links to any associated reports.',
+    'references': ['https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html'],
+    'input': 'Any of the following MISP attributes:\n- btc\n- domain\n- email-src\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- url',
+    'output': 'MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.',
+}
 
 moduleconfig = ["user_api_key", "user_api_secret", "enclave_ids"]
 
diff --git a/misp_modules/modules/expansion/urlhaus.py b/misp_modules/modules/expansion/urlhaus.py
index ed13b77a..8c7efa2e 100644
--- a/misp_modules/modules/expansion/urlhaus.py
+++ b/misp_modules/modules/expansion/urlhaus.py
@@ -8,9 +8,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'input': ['domain', 'hostname', 'ip-src', 'ip-dst', 'md5', 'sha256', 'url'],
                   'output': ['url', 'filename', 'md5', 'sha256'],
                   'format': 'misp_standard'}
-moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
-              'description': 'Query of the URLhaus API to get additional information about some attributes.',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christian Studer',
+    'description': 'Query of the URLhaus API to get additional information about the input attribute.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'URLhaus Lookup',
+    'logo': 'urlhaus.png',
+    'requirements': [],
+    'features': 'Module using the new format of modules able to return attributes and objects.\n\nThe module takes one of the attribute type specified as input, and query the URLhaus API with it. If any result is returned by the API, attributes and objects are created accordingly.',
+    'references': ['https://urlhaus.abuse.ch/'],
+    'input': 'A domain, hostname, url, ip, md5 or sha256 attribute.',
+    'output': 'MISP attributes & objects fetched from the result of the URLhaus API query.',
+}
 moduleconfig = []
 
 file_keys = ('filename', 'response_size', 'response_md5', 'response_sha256')
diff --git a/misp_modules/modules/expansion/urlscan.py b/misp_modules/modules/expansion/urlscan.py
index e6af7f61..c36dea6c 100644
--- a/misp_modules/modules/expansion/urlscan.py
+++ b/misp_modules/modules/expansion/urlscan.py
@@ -15,8 +15,15 @@ log.addHandler(ch)
 moduleinfo = {
     'version': '0.1',
     'author': 'Dave Johnson',
-    'description': 'Module to query urlscan.io',
-    'module-type': ['expansion']
+    'description': 'An expansion module to query urlscan.io.',
+    'module-type': ['expansion'],
+    'name': 'URLScan Lookup',
+    'logo': 'urlscan.jpg',
+    'requirements': ['An access to the urlscan.io API'],
+    'features': 'This module takes a MISP attribute as input and queries urlscan.io with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute.',
+    'references': ['https://urlscan.io/'],
+    'input': 'A domain, hostname or url attribute.',
+    'output': 'MISP attributes mapped from the result of the query on urlscan.io.',
 }
 
 moduleconfig = ['apikey']
diff --git a/misp_modules/modules/expansion/variotdbs.py b/misp_modules/modules/expansion/variotdbs.py
index 387dc24f..8526949b 100644
--- a/misp_modules/modules/expansion/variotdbs.py
+++ b/misp_modules/modules/expansion/variotdbs.py
@@ -7,9 +7,19 @@ from pymisp import MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
-moduleinfo = {'version': '1', 'author': 'Christian Studer',
-              'description': 'An expansion module to query variotdbs.pl',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Christian Studer',
+    'description': 'An expansion module to query the VARIoT db API for more information about a vulnerability.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'VARIoT db Lookup',
+    'logo': 'variot.png',
+    'requirements': ['A VARIoT db API key (if you do not want to be limited to 100 queries / day)'],
+    'features': 'The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.\n\nThe `vuln` endpoint is queried first to look for additional information about the vulnerability itself.\n\nThe `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template.',
+    'references': ['https://www.variotdbs.pl/'],
+    'input': 'Vulnerability attribute.',
+    'output': 'Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.',
+}
 moduleconfig = ['API_key']
 variotdbs_url = 'https://www.variotdbs.pl/api'
 
diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py
index 4168a947..de22fd0e 100644
--- a/misp_modules/modules/expansion/virustotal.py
+++ b/misp_modules/modules/expansion/virustotal.py
@@ -8,9 +8,19 @@ mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sh
                   'format': 'misp_standard'}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '6', 'author': 'Hannah Ward',
-              'description': 'Enrich observables with the VirusTotal v3 API',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '6',
+    'author': 'Hannah Ward',
+    'description': 'Enrich observables with the VirusTotal v3 API',
+    'module-type': ['expansion'],
+    'name': 'VirusTotal v3 Lookup',
+    'logo': 'virustotal.png',
+    'requirements': ['An access to the VirusTotal API (apikey), with a high request rate limit.'],
+    'features': 'New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal_public.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.\n\nThus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them.',
+    'references': ['https://www.virustotal.com/', 'https://docs.virustotal.com/reference/overview'],
+    'input': 'A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.',
+    'output': 'MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ["apikey", "event_limit", 'proxy_host', 'proxy_port', 'proxy_username', 'proxy_password']
diff --git a/misp_modules/modules/expansion/virustotal_public.py b/misp_modules/modules/expansion/virustotal_public.py
index 7695e268..d8de2863 100644
--- a/misp_modules/modules/expansion/virustotal_public.py
+++ b/misp_modules/modules/expansion/virustotal_public.py
@@ -8,9 +8,19 @@ from pymisp import MISPAttribute, MISPEvent, MISPObject
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url"],
                   'format': 'misp_standard'}
-moduleinfo = {'version': '2', 'author': 'Christian Studer',
-              'description': 'Enrich observables with the VirusTotal v3 public API',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '2',
+    'author': 'Christian Studer',
+    'description': 'Enrich observables with the VirusTotal v3 public API',
+    'module-type': ['expansion', 'hover'],
+    'name': 'VirusTotal Public API Lookup',
+    'logo': 'virustotal.png',
+    'requirements': ['An access to the VirusTotal API (apikey)'],
+    'features': 'New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/main/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.\n\nThus, it only queries the API once and returns the results that is parsed into MISP attributes and objects.',
+    'references': ['https://www.virustotal.com', 'https://docs.virustotal.com/reference/overview'],
+    'input': 'A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.',
+    'output': 'MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.',
+}
 
 moduleconfig = ['apikey', 'proxy_host', 'proxy_port', 'proxy_username', 'proxy_password']
 
diff --git a/misp_modules/modules/expansion/vmray_submit.py b/misp_modules/modules/expansion/vmray_submit.py
index fa0a073f..78d7de53 100644
--- a/misp_modules/modules/expansion/vmray_submit.py
+++ b/misp_modules/modules/expansion/vmray_submit.py
@@ -23,9 +23,19 @@ from _vmray.rest_api import VMRayRESTAPI
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['text', 'sha1', 'sha256', 'md5', 'link']}
-moduleinfo = {'version': '0.3', 'author': 'Koen Van Impe',
-              'description': 'Submit a sample to VMRay',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.3',
+    'author': 'Koen Van Impe',
+    'description': 'Module to submit a sample to VMRay.',
+    'module-type': ['expansion'],
+    'name': 'VMRay Submit',
+    'logo': 'vmray.png',
+    'requirements': ['An access to the VMRay API (apikey & url)'],
+    'features': 'This module takes an attachment or malware-sample attribute as input to query the VMRay API.\n\nThe sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes.',
+    'references': ['https://www.vmray.com/'],
+    'input': 'An attachment or malware-sample attribute.',
+    'output': 'MISP attributes mapped from the result of the query on VMRay API, included in the following list:\n- text\n- sha1\n- sha256\n- md5\n- link',
+}
 moduleconfig = ['apikey', 'url', 'shareable', 'do_not_reanalyze', 'do_not_include_vmrayjobids']
 
 
diff --git a/misp_modules/modules/expansion/vmware_nsx.py b/misp_modules/modules/expansion/vmware_nsx.py
index 44962683..45adcbbe 100644
--- a/misp_modules/modules/expansion/vmware_nsx.py
+++ b/misp_modules/modules/expansion/vmware_nsx.py
@@ -43,10 +43,17 @@ mispattributes = {
 }
 
 moduleinfo = {
-    "version": "0.2",
-    "author": "Jason Zhang, Stefano Ortolani",
-    "description": "Enrich a file or URL with VMware NSX Defender",
-    "module-type": ["expansion", "hover"],
+    'version': '0.2',
+    'author': 'Jason Zhang, Stefano Ortolani',
+    'description': 'Module to enrich a file or URL with VMware NSX Defender.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'VMware NSX Defender Enrich',
+    'logo': 'vmware_nsx.png',
+    'requirements': ['The module requires a VMware NSX Defender Analysis `api_token` and `key`.'],
+    'features': 'This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender.\n\nThe IoC is then enriched with data from VMware NSX Defender.',
+    'references': ['https://www.vmware.com'],
+    'input': 'File hash, attachment or URL to be enriched with VMware NSX Defender.',
+    'output': 'Objects and tags generated by VMware NSX Defender.',
 }
 
 moduleconfig = [
diff --git a/misp_modules/modules/expansion/vulndb.py b/misp_modules/modules/expansion/vulndb.py
index db6c4619..f467cafc 100644
--- a/misp_modules/modules/expansion/vulndb.py
+++ b/misp_modules/modules/expansion/vulndb.py
@@ -26,9 +26,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {
     'input': ['vulnerability'],
     'output': ['text', 'link', 'cpe']}
-moduleinfo = {'version': '0.1', 'author': 'Koen Van Impe',
-              'description': 'Query VulnDB - RiskBasedSecurity.com',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Koen Van Impe',
+    'description': 'Module to query VulnDB (RiskBasedSecurity.com).',
+    'module-type': ['expansion', 'hover'],
+    'name': 'VulnDB Lookup',
+    'logo': 'vulndb.png',
+    'requirements': ['An access to the VulnDB API (apikey, apisecret)'],
+    'features': 'This module takes a vulnerability attribute as input and queries VulnDB in order to get some additional data about it.\n\nThe API gives the result of the query which can be displayed in the screen, and/or mapped into MISP attributes to add in the event.',
+    'references': ['https://vulndb.cyberriskanalytics.com/'],
+    'input': 'A vulnerability attribute.',
+    'output': 'Additional data enriching the CVE input, fetched from VulnDB.',
+}
 
 moduleconfig = ['apikey', 'apisecret', 'discard_dates', 'discard_external_references', 'discard_cvss', 'discard_productinformation', 'discard_classification', 'discard_cpe']
 
diff --git a/misp_modules/modules/expansion/vulnerability_lookup.py b/misp_modules/modules/expansion/vulnerability_lookup.py
index 871e494d..811b43f5 100644
--- a/misp_modules/modules/expansion/vulnerability_lookup.py
+++ b/misp_modules/modules/expansion/vulnerability_lookup.py
@@ -9,9 +9,17 @@ from typing import Iterator
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
 moduleinfo = {
-    'version': '1', 'author': 'Christian Studer',
+    'version': '1',
+    'author': 'Christian Studer',
     'description': 'An expansion module to query Vulnerability Lookup',
-    'module-type': ['expansion', 'hover']
+    'module-type': ['expansion', 'hover'],
+    'name': 'Vulnerability Lookup',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
 }
 api_url = 'https://vulnerability.circl.lu'
 
@@ -81,7 +89,7 @@ class VulnerabilityLookupMapping(VulnerabilityMapping):
     @classmethod
     def cve_mapping(cls) -> dict:
         return cls.__cve_mapping
-    
+
     @classmethod
     def gsd_mapping(cls) -> dict:
         return cls.__gsd_mapping
@@ -155,9 +163,9 @@ class VulnerabilityLookupParser(VulnerabilityParser):
         for reference in description.get('references', []):
             misp_object.add_attribute('references', reference['url'])
         misp_object.add_attribute('credit', description['publisher']['name'])
-        misp_object.add_reference(self.misp_attribute.uuid, 'describes')    
+        misp_object.add_reference(self.misp_attribute.uuid, 'describes')
         vulnerability_object = self.misp_event.add_object(misp_object)
-        
+
         for vulnerability in lookup_result['vulnerabilities']:
             related = MISPObject('vulnerability')
             for field, relation in self.mapping.related_vuln_mapping().items():
@@ -178,7 +186,7 @@ class VulnerabilityLookupParser(VulnerabilityParser):
                     weakness.add_attribute(field, value)
                 weakness.add_reference(related_vulnerability.uuid, 'leads-to')
                 self.misp_event.add_object(weakness)
-        
+
         return vulnerability_object.uuid
 
     def _parse_cve_description(self, lookup_result: dict) -> str:
diff --git a/misp_modules/modules/expansion/vulners.py b/misp_modules/modules/expansion/vulners.py
index 1b8cdcc3..5c10575d 100644
--- a/misp_modules/modules/expansion/vulners.py
+++ b/misp_modules/modules/expansion/vulners.py
@@ -3,7 +3,19 @@ import vulners
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['vulnerability'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Igor Ivanov', 'description': 'An expansion hover module to expand information about CVE id using Vulners API.', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Igor Ivanov',
+    'description': 'An expansion hover module to expand information about CVE id using Vulners API.',
+    'module-type': ['hover'],
+    'name': 'Vulners Lookup',
+    'logo': 'vulners.png',
+    'requirements': ['Vulners python library', 'An access to the Vulners API'],
+    'features': 'This module takes a vulnerability attribute as input and queries the Vulners API in order to get some additional data about it.\n\nThe API then returns details about the vulnerability.',
+    'references': ['https://vulners.com/'],
+    'input': 'A vulnerability attribute.',
+    'output': 'Text giving additional information about the CVE in input.',
+}
 
 # Get API key from https://vulners.com/userinfo
 moduleconfig = ["apikey"]
diff --git a/misp_modules/modules/expansion/vysion.py b/misp_modules/modules/expansion/vysion.py
index 128a9706..8a386008 100644
--- a/misp_modules/modules/expansion/vysion.py
+++ b/misp_modules/modules/expansion/vysion.py
@@ -29,10 +29,17 @@ mispattributes = {
 
 # possible module-types: 'expansion', 'hover' or both
 moduleinfo = {
-    "version": "1",
-    "author": "Byron Labs",
-    "description": "Enrich observables with the Vysion API",
-    "module-type": ["expansion"],
+    'version': '1',
+    'author': 'Byron Labs',
+    'description': 'Module to enrich the information by making use of the Vysion API.',
+    'module-type': ['expansion'],
+    'name': 'Vysion Enrich',
+    'logo': 'vysion.png',
+    'requirements': ['Vysion python library', 'Vysion API Key'],
+    'features': "This module gets correlated information from Byron Labs' dark web intelligence database. With this you will get several objects containing information related to, for example, an organization victim of a ransomware attack.",
+    'references': ['https://vysion.ai/', 'https://developers.vysion.ai/', 'https://github.com/ByronLabs/vysion-cti/tree/main'],
+    'input': 'company(target-org), country, info, BTC, XMR and DASH address.',
+    'output': 'MISP objects containing title, link to our webapp and TOR, i2p or clearnet URLs.',
 }
 
 # config fields that your code expects from the site admin
@@ -154,7 +161,7 @@ def handler(q=False):
         if attribute_type == "email":
             result = client.find_email(attribute_value)
         elif attribute_type == "domain":
-            result = client.find_url(attribute_value) 
+            result = client.find_url(attribute_value)
         elif attribute_type == "url":
             result = client.find_url(attribute_value)
         elif attribute_type == "text":
@@ -188,7 +195,7 @@ def handler(q=False):
                 "Attribute": [
                     json.loads(attribute.to_json())
                     for attribute in misp_event.attributes
-                ], 
+                ],
                 "Tag": [
                     json.loads(tag.to_json())
                     for tag in misp_event.tags
diff --git a/misp_modules/modules/expansion/whois.py b/misp_modules/modules/expansion/whois.py
index 22c4850b..59b7e47a 100755
--- a/misp_modules/modules/expansion/whois.py
+++ b/misp_modules/modules/expansion/whois.py
@@ -8,9 +8,19 @@ except ImportError:
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['domain', 'ip-src', 'ip-dst'], 'output': ['freetext']}
-moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
-              'description': 'Query a local instance of uwhois (https://github.com/rafiot/uwhoisd)',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Raphaël Vinot',
+    'description': 'Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).',
+    'module-type': ['expansion'],
+    'name': 'Whois Lookup',
+    'logo': '',
+    'requirements': ['uwhois: A whois python library'],
+    'features': "This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server).",
+    'references': ['https://github.com/rafiot/uwhoisd'],
+    'input': 'A domain or IP address attribute.',
+    'output': 'Text describing the result of a whois request for the input value.',
+}
 
 moduleconfig = ['server', 'port']
 
diff --git a/misp_modules/modules/expansion/whoisfreaks.py b/misp_modules/modules/expansion/whoisfreaks.py
index 5ea52570..d64e2194 100644
--- a/misp_modules/modules/expansion/whoisfreaks.py
+++ b/misp_modules/modules/expansion/whoisfreaks.py
@@ -10,9 +10,19 @@ mispattributes = {
                'whois-registrant-name',
                'whois-registrar', 'whois-creation-date', 'domain']
 }
-moduleinfo = {'version': '1', 'author': 'WhoisFreaks',
-              'description': 'Query on whoisfreaks.com',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'WhoisFreaks',
+    'description': 'An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'WhoisFreaks Lookup',
+    'logo': 'whoisfreaks.png',
+    'requirements': ['An access to the Whoisfreaks API_KEY'],
+    'features': 'The module takes a domain as input and queries the Whoisfreaks API with it.\n\nSome parsing operations are then processed on the result of the query to extract as much information as possible.\n\nAfter this we map the extracted data to MISP attributes.',
+    'references': ['https://whoisfreaks.com/'],
+    'input': 'A domain whose Data is required',
+    'output': 'MISP attributes resulting from the query on Whoisfreaks API, included in the following list:\n- domain\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ['apikey']
@@ -50,7 +60,7 @@ def handle_domain(apiKey, domain, errors):
     if status_ok:
         if r:
             result_filtered['results'].extend(r)
-            
+
     return result_filtered
 
 
@@ -156,7 +166,7 @@ def expand_dns(apiKey, domain):
                     servers_mx.append(record['target'])
                 elif record['dnsType'] == 'SOA':
                     soa_hostnames.append(record['host'])
-                    
+
             if list_ipv4:
                 r.append({'types': ['domain|ip'],
                           'values': ['%s|%s' % (domain, ipv4) for ipv4 in
diff --git a/misp_modules/modules/expansion/wiki.py b/misp_modules/modules/expansion/wiki.py
index 110e8f8e..ebbf8228 100755
--- a/misp_modules/modules/expansion/wiki.py
+++ b/misp_modules/modules/expansion/wiki.py
@@ -3,7 +3,19 @@ from SPARQLWrapper import SPARQLWrapper, JSON
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['text'], 'output': ['text']}
-moduleinfo = {'version': '0.2', 'author': 'Roman Graf', 'description': 'An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Roman Graf',
+    'description': 'An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.',
+    'module-type': ['hover'],
+    'name': 'Wikidata Lookup',
+    'logo': 'wikidata.png',
+    'requirements': ['SPARQLWrapper python library'],
+    'features': 'This module takes a text attribute as input and queries the Wikidata API. If the text attribute is clear enough to define a specific term, the API returns a wikidata link in response.',
+    'references': ['https://www.wikidata.org'],
+    'input': 'Text attribute.',
+    'output': 'Text attribute.',
+}
 moduleconfig = []
 # sample query text 'Microsoft' should provide Wikidata link https://www.wikidata.org/wiki/Q2283 in response
 wiki_api_url = 'https://query.wikidata.org/bigdata/namespace/wdq/sparql'
diff --git a/misp_modules/modules/expansion/xforceexchange.py b/misp_modules/modules/expansion/xforceexchange.py
index 936917fb..865e72f7 100644
--- a/misp_modules/modules/expansion/xforceexchange.py
+++ b/misp_modules/modules/expansion/xforceexchange.py
@@ -14,9 +14,19 @@ mispattributes = {'input': ['ip-src', 'ip-dst', 'vulnerability', 'md5', 'sha1',
                   'format': 'misp_standard'}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '2', 'author': 'Joerg Stephan (@johest)',
-              'description': 'IBM X-Force Exchange expansion module',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '2',
+    'author': 'Joerg Stephan (@johest)',
+    'description': 'An expansion module for IBM X-Force Exchange.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'IBM X-Force Exchange Lookup',
+    'logo': 'xforce.png',
+    'requirements': ['An access to the X-Force API (apikey)'],
+    'features': 'This module takes a MISP attribute as input to query the X-Force API. The API returns then additional information known in their threats data, that is mapped into MISP attributes.',
+    'references': ['https://exchange.xforce.ibmcloud.com/'],
+    'input': 'A MISP attribute included in the following list:\n- ip-src\n- ip-dst\n- vulnerability\n- md5\n- sha1\n- sha256',
+    'output': 'MISP attributes mapped from the result of the query on X-Force Exchange.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ["apikey", "apipassword"]
diff --git a/misp_modules/modules/expansion/xlsx_enrich.py b/misp_modules/modules/expansion/xlsx_enrich.py
index 6e0ee739..3d71beeb 100644
--- a/misp_modules/modules/expansion/xlsx_enrich.py
+++ b/misp_modules/modules/expansion/xlsx_enrich.py
@@ -7,9 +7,19 @@ import io
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['attachment'],
                   'output': ['freetext', 'text']}
-moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
-              'description': '.xlsx to freetext-import IOC extractor',
-              'module-type': ['expansion']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sascha Rommelfangen',
+    'description': 'Module to extract freetext from a .xlsx document.',
+    'module-type': ['expansion'],
+    'name': 'XLXS Enrich',
+    'logo': 'xlsx.png',
+    'requirements': ['pandas: Python library to perform data analysis, time series and statistics.'],
+    'features': 'The module reads the text contained in a .xlsx document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
+    'references': [],
+    'input': 'Attachment attribute containing a .xlsx document.',
+    'output': 'Text and freetext parsed from the document.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py
index e905de50..1851d68b 100644
--- a/misp_modules/modules/expansion/yara_query.py
+++ b/misp_modules/modules/expansion/yara_query.py
@@ -6,10 +6,20 @@ except (OSError, ImportError):
     print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.")
 
 misperrors = {'error': 'Error'}
-moduleinfo = {'version': '1', 'author': 'Christian STUDER',
-              'description': 'Yara export for hashes.',
-              'module-type': ['expansion', 'hover'],
-              'require_standard_format': True}
+moduleinfo = {
+    'version': '1',
+    'author': 'Christian STUDER',
+    'description': 'jj',
+    'module-type': ['expansion', 'hover'],
+    'name': 'YARA Rule Generator',
+    'require_standard_format': True,
+    'logo': 'yara.png',
+    'requirements': ['yara-python python library'],
+    'features': "The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.\nBoth hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.",
+    'references': ['https://virustotal.github.io/yara/', 'https://github.com/virustotal/yara-python'],
+    'input': 'MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type).',
+    'output': 'YARA rule.',
+}
 moduleconfig = []
 mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']}
 
diff --git a/misp_modules/modules/expansion/yara_syntax_validator.py b/misp_modules/modules/expansion/yara_syntax_validator.py
index cad533fc..ce2b1366 100644
--- a/misp_modules/modules/expansion/yara_syntax_validator.py
+++ b/misp_modules/modules/expansion/yara_syntax_validator.py
@@ -6,7 +6,19 @@ except (OSError, ImportError):
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['yara'], 'output': ['text']}
-moduleinfo = {'version': '0.1', 'author': 'Dennis Rand', 'description': 'An expansion hover module to perform a syntax check on if yara rules are valid or not.', 'module-type': ['hover']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Dennis Rand',
+    'description': 'An expansion hover module to perform a syntax check on if yara rules are valid or not.',
+    'module-type': ['hover'],
+    'name': 'YARA Syntax Validator',
+    'logo': 'yara.png',
+    'requirements': ['yara_python python library'],
+    'features': 'This modules simply takes a YARA rule as input, and checks its syntax. It returns then a confirmation if the syntax is valid, otherwise the syntax error is displayed.',
+    'references': ['http://virustotal.github.io/yara/'],
+    'input': 'YARA rule attribute.',
+    'output': 'Text to inform users if their rule is valid.',
+}
 moduleconfig = []
 
 
diff --git a/misp_modules/modules/expansion/yeti.py b/misp_modules/modules/expansion/yeti.py
index 3eeea958..5bee5c96 100644
--- a/misp_modules/modules/expansion/yeti.py
+++ b/misp_modules/modules/expansion/yeti.py
@@ -14,9 +14,19 @@ mispattributes = {'input': ['AS', 'ip-src', 'ip-dst', 'hostname', 'domain', 'sha
                   'format': 'misp_standard'
                   }
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
-              'description': 'Query on yeti',
-              'module-type': ['expansion', 'hover']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Sebastien Larinier @sebdraven',
+    'description': 'Module to process a query on Yeti.',
+    'module-type': ['expansion', 'hover'],
+    'name': 'Yeti Lookup',
+    'logo': 'yeti.png',
+    'requirements': ['pyeti', 'API key '],
+    'features': 'This module add context and links between observables using yeti',
+    'references': ['https://github.com/yeti-platform/yeti', 'https://github.com/sebdraven/pyeti'],
+    'input': 'A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.',
+    'output': 'MISP attributes and objects fetched from the Yeti instances.',
+}
 
 moduleconfig = ['apikey', 'url']
 
diff --git a/misp_modules/modules/export_mod/cef_export.py b/misp_modules/modules/export_mod/cef_export.py
index 0aa82f03..2e57e773 100755
--- a/misp_modules/modules/export_mod/cef_export.py
+++ b/misp_modules/modules/export_mod/cef_export.py
@@ -5,9 +5,19 @@ import datetime
 misperrors = {'error': 'Error'}
 
 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'Hannah Ward',
-              'description': 'Export a module in CEF format',
-              'module-type': ['export']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Hannah Ward',
+    'description': 'Module to export a MISP event in CEF format.',
+    'module-type': ['export'],
+    'name': 'CEF Export',
+    'logo': '',
+    'requirements': [],
+    'features': 'The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.\nThus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.',
+    'references': ['https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537'],
+    'input': 'MISP Event attributes',
+    'output': 'Common Event Format file',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ["Default_Severity", "Device_Vendor", "Device_Product", "Device_Version"]
diff --git a/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py b/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py
index ab79692d..fcc7e4da 100644
--- a/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py
+++ b/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py
@@ -15,9 +15,19 @@ from urllib.parse import quote
 
 misperrors = {'error': 'Error'}
 
-moduleinfo = {'version': '1', 'author': 'Stanislav Klevtsov',
-              'description': 'Export malicious network activity attributes of the MISP event to Cisco firesight manager block rules',
-              'module-type': ['export']}
+moduleinfo = {
+    'version': '1',
+    'author': 'Stanislav Klevtsov',
+    'description': 'Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.',
+    'module-type': ['export'],
+    'name': 'Cisco fireSIGHT blockrule Export',
+    'logo': 'cisco.png',
+    'requirements': ['Firesight manager console credentials'],
+    'features': 'The module goes through the attributes to find all the network activity ones in order to create block rules for the Cisco fireSIGHT manager.',
+    'references': [],
+    'input': 'Network activity attributes (IPs, URLs).',
+    'output': 'Cisco fireSIGHT manager block rules.',
+}
 
 
 moduleconfig = ['fmc_ip_addr', 'fmc_login', 'fmc_pass', 'domain_id', 'acpolicy_id']
diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py
index 2a5d39a8..c283cb43 100755
--- a/misp_modules/modules/export_mod/defender_endpoint_export.py
+++ b/misp_modules/modules/export_mod/defender_endpoint_export.py
@@ -1,131 +1,141 @@
-"""
-Export module for coverting MISP events into Defender for Endpoint KQL queries.
-Config['Period'] : allows to define period over witch to look for IOC from now
-"""
-
-import base64
-import json
-
-misperrors = {"error": "Error"}
-
-types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip-src', 'ip-dst', 'url']
-
-userConfig = {
-
-}
-
-moduleconfig = ["Period"]
-inputSource = ['event']
-
-outputFileExtension = 'kql'
-responseType = 'application/txt'
-
-moduleinfo = {'version': '1.1', 'author': 'Julien Bachmann, Hacknowledge, Maik Wuerth',
-              'description': 'Defender for Endpoint KQL hunting query export module',
-              'module-type': ['export']}
-
-
-def handle_sha256(value, period):
-    query = f"""find in (DeviceEvents, DeviceAlertEvents,AlertInfo, AlertEvidence,  DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
-        where (SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}') and 
-        Timestamp between(ago({period}) .. now())"""
-    return query.replace('\n', ' ')
-
-
-def handle_sha1(value, period):
-    query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
-        where (SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}') and 
-        Timestamp between(ago({period}) .. now())"""
-    return query.replace('\n', ' ')
-
-
-def handle_md5(value, period):
-    query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
-        where (MD5 == '{value}' or InitiatingProcessMD5 == '{value}') and 
-        Timestamp between(ago({period}) .. now())"""
-    return query.replace('\n', ' ')
-
-
-def handle_domain(value, period):
-    query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents)
-        where RemoteUrl contains '{value}' and 
-        Timestamp between(ago({period}) .. now())"""
-    return query.replace('\n', ' ')
-
-
-def handle_ip(value, period):
-    query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents)
-        where RemoteIP == '{value}' and 
-        Timestamp between(ago({period}) .. now())"""
-    return query.replace('\n', ' ')
-
-
-def handle_url(value, period):
-    query = f"""let url = '{value}';
-        search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities, AlertInfo, AlertEvidence, DeviceAlertEvents)
-        Timestamp between(ago({period}) .. now()) and
-        RemoteUrl has url
-        or FileOriginUrl has url
-        or FileOriginReferrerUrl has url
-        or Url has url"""
-    return query.replace('\n', ' ')
-
-
-handlers = {
-    'sha256': handle_sha256,
-    'sha1': handle_sha1,
-    'md5': handle_md5,
-    'domain': handle_url,
-    'ip-src': handle_ip,
-    'ip-dst': handle_ip,
-    'url': handle_url
-}
-
-
-def handler(q=False):
-    if q is False:
-        return False
-    request = json.loads(q)
-    config = request.get("config", {"Period": ""})
-    output = ''
-
-    for event in request["data"]:
-        for attribute in event["Attribute"]:
-            if attribute['type'] in types_to_use:
-                output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
-        for obj in event["Object"]:
-            for attribute in obj["Attribute"]:
-                if attribute['type'] in types_to_use:
-                    output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
-    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
-    return r
-
-
-def introspection():
-    modulesetup = {}
-    try:
-        responseType
-        modulesetup['responseType'] = responseType
-    except NameError:
-        pass
-    try:
-        userConfig
-        modulesetup['userConfig'] = userConfig
-    except NameError:
-        pass
-    try:
-        outputFileExtension
-        modulesetup['outputFileExtension'] = outputFileExtension
-    except NameError:
-        pass
-    try:
-        inputSource
-        modulesetup['inputSource'] = inputSource
-    except NameError:
-        pass
-    return modulesetup
-
-
-def version():
-    moduleinfo['config'] = moduleconfig
-    return moduleinfo
+"""
+Export module for coverting MISP events into Defender for Endpoint KQL queries.
+Config['Period'] : allows to define period over witch to look for IOC from now
+"""
+
+import base64
+import json
+
+misperrors = {"error": "Error"}
+
+types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip-src', 'ip-dst', 'url']
+
+userConfig = {
+
+}
+
+moduleconfig = ["Period"]
+inputSource = ['event']
+
+outputFileExtension = 'kql'
+responseType = 'application/txt'
+
+moduleinfo = {
+    'version': '1.1',
+    'author': 'Julien Bachmann, Hacknowledge, Maik Wuerth',
+    'description': 'Defender for Endpoint KQL hunting query export module',
+    'module-type': ['export'],
+    'name': 'Microsoft Defender for Endpoint KQL Export',
+    'logo': 'defender_endpoint.png',
+    'requirements': [],
+    'features': 'This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC.',
+    'references': ['https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference'],
+    'input': 'MISP Event attributes',
+    'output': 'Defender for Endpoint KQL queries',
+}
+
+
+def handle_sha256(value, period):
+    query = f"""find in (DeviceEvents, DeviceAlertEvents,AlertInfo, AlertEvidence,  DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
+        where (SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}') and
+        Timestamp between(ago({period}) .. now())"""
+    return query.replace('\n', ' ')
+
+
+def handle_sha1(value, period):
+    query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
+        where (SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}') and
+        Timestamp between(ago({period}) .. now())"""
+    return query.replace('\n', ' ')
+
+
+def handle_md5(value, period):
+    query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
+        where (MD5 == '{value}' or InitiatingProcessMD5 == '{value}') and
+        Timestamp between(ago({period}) .. now())"""
+    return query.replace('\n', ' ')
+
+
+def handle_domain(value, period):
+    query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents)
+        where RemoteUrl contains '{value}' and
+        Timestamp between(ago({period}) .. now())"""
+    return query.replace('\n', ' ')
+
+
+def handle_ip(value, period):
+    query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents)
+        where RemoteIP == '{value}' and
+        Timestamp between(ago({period}) .. now())"""
+    return query.replace('\n', ' ')
+
+
+def handle_url(value, period):
+    query = f"""let url = '{value}';
+        search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities, AlertInfo, AlertEvidence, DeviceAlertEvents)
+        Timestamp between(ago({period}) .. now()) and
+        RemoteUrl has url
+        or FileOriginUrl has url
+        or FileOriginReferrerUrl has url
+        or Url has url"""
+    return query.replace('\n', ' ')
+
+
+handlers = {
+    'sha256': handle_sha256,
+    'sha1': handle_sha1,
+    'md5': handle_md5,
+    'domain': handle_url,
+    'ip-src': handle_ip,
+    'ip-dst': handle_ip,
+    'url': handle_url
+}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    config = request.get("config", {"Period": ""})
+    output = ''
+
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute['type'] in types_to_use:
+                output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
+        for obj in event["Object"]:
+            for attribute in obj["Attribute"]:
+                if attribute['type'] in types_to_use:
+                    output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
+    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
+    return r
+
+
+def introspection():
+    modulesetup = {}
+    try:
+        responseType
+        modulesetup['responseType'] = responseType
+    except NameError:
+        pass
+    try:
+        userConfig
+        modulesetup['userConfig'] = userConfig
+    except NameError:
+        pass
+    try:
+        outputFileExtension
+        modulesetup['outputFileExtension'] = outputFileExtension
+    except NameError:
+        pass
+    try:
+        inputSource
+        modulesetup['inputSource'] = inputSource
+    except NameError:
+        pass
+    return modulesetup
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
diff --git a/misp_modules/modules/export_mod/goamlexport.py b/misp_modules/modules/export_mod/goamlexport.py
index b9ce086f..a1ffaf91 100644
--- a/misp_modules/modules/export_mod/goamlexport.py
+++ b/misp_modules/modules/export_mod/goamlexport.py
@@ -4,10 +4,20 @@ from pymisp import MISPEvent
 from collections import defaultdict, Counter
 
 misperrors = {'error': 'Error'}
-moduleinfo = {'version': '1', 'author': 'Christian Studer',
-              'description': 'Export to GoAML',
-              'module-type': ['export'],
-              'require_standard_format': True}
+moduleinfo = {
+    'version': '1',
+    'author': 'Christian Studer',
+    'description': 'This module is used to export MISP events containing transaction objects into GoAML format.',
+    'module-type': ['export'],
+    'name': 'GoAML Export',
+    'require_standard_format': True,
+    'logo': 'goAML.jpg',
+    'requirements': ['PyMISP', 'MISP objects'],
+    'features': "The module works as long as there is at least one transaction object in the Event.\n\nThen in order to have a valid GoAML document, please follow these guidelines:\n- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction.\n- Create an object reference for both origin and target objects of the transaction.\n- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account.\n- A person can have an address, which is a geolocation object, put as object reference of the person.\n\nSupported relation types for object references that are recommended for each object are the folowing:\n- transaction:\n\t- 'from', 'from_my_client': Origin of the transaction - at least one of them is required.\n\t- 'to', 'to_my_client': Target of the transaction - at least one of them is required.\n\t- 'address': Location of the transaction - optional.\n- bank-account:\n\t- 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory.\n\t- 'entity': Entity owning the bank account - optional.\n- person:\n\t- 'address': Address of a person - optional.",
+    'references': ['http://goaml.unodc.org/'],
+    'input': 'MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.',
+    'output': 'GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).',
+}
 moduleconfig = ['rentity_id']
 mispattributes = {'input': ['MISPEvent'], 'output': ['xml file']}
 outputFileExtension = "xml"
diff --git a/misp_modules/modules/export_mod/liteexport.py b/misp_modules/modules/export_mod/liteexport.py
index 870f52a2..d980c9f9 100755
--- a/misp_modules/modules/export_mod/liteexport.py
+++ b/misp_modules/modules/export_mod/liteexport.py
@@ -3,10 +3,19 @@ import base64
 
 misperrors = {'error': 'Error'}
 
-moduleinfo = {'version': '1',
-              'author': 'TM',
-              'description': 'export lite',
-              'module-type': ['export']}
+moduleinfo = {
+    'version': '1',
+    'author': 'TM',
+    'description': 'Lite export of a MISP event.',
+    'module-type': ['export'],
+    'name': 'Lite Export',
+    'logo': '',
+    'requirements': [],
+    'features': 'This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.',
+    'references': [],
+    'input': 'MISP Event attributes',
+    'output': 'Lite MISP Event',
+}
 
 moduleconfig = ["indent_json_export"]
 
diff --git a/misp_modules/modules/export_mod/mass_eql_export.py b/misp_modules/modules/export_mod/mass_eql_export.py
index f42874d4..d6ed1ea3 100644
--- a/misp_modules/modules/export_mod/mass_eql_export.py
+++ b/misp_modules/modules/export_mod/mass_eql_export.py
@@ -9,10 +9,17 @@ import logging
 misperrors = {"error": "Error"}
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "92 COS DOM",
-    "description": "Export MISP event in Event Query Language",
-    "module-type": ["export"]
+    'version': '0.1',
+    'author': '92 COS DOM',
+    'description': 'Export MISP event in Event Query Language',
+    'module-type': ['export'],
+    'name': 'EQL Query Export',
+    'logo': 'eql.png',
+    'requirements': [],
+    'features': 'This module produces EQL queries for all relevant attributes in a MISP event.',
+    'references': ['https://eql.readthedocs.io/en/latest/'],
+    'input': 'MISP Event attributes',
+    'output': 'Text file containing one or more EQL queries',
 }
 
 # Map of MISP fields => Endgame fields
diff --git a/misp_modules/modules/export_mod/nexthinkexport.py b/misp_modules/modules/export_mod/nexthinkexport.py
index c87b3fbc..f0c7f3e7 100755
--- a/misp_modules/modules/export_mod/nexthinkexport.py
+++ b/misp_modules/modules/export_mod/nexthinkexport.py
@@ -1,121 +1,131 @@
-"""
-Export module for coverting MISP events into Nexthink NXQL queries.
-Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py
-Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation
-"""
-
-import base64
-import json
-
-misperrors = {"error": "Error"}
-
-types_to_use = ['sha1', 'sha256', 'md5', 'domain']
-
-userConfig = {
-
-}
-
-moduleconfig = ["Period"]
-inputSource = ['event']
-
-outputFileExtension = 'nxql'
-responseType = 'application/txt'
-
-moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',
-              'description': 'Nexthink NXQL query export module',
-              'module-type': ['export']}
-
-
-def handle_sha1(value, period):
-    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
-(from (binary user device execution)
-(where binary (eq sha1 (sha1 %s)))
-(between now-%s now))
-(limit 1000)
-    ''' % (value, period)
-    return query.replace('\n', ' ')
-
-
-def handle_sha256(value, period):
-    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
-(from (binary user device execution)
-(where binary (eq sha256 (sha256 %s)))
-(between now-%s now))
-(limit 1000)
-    ''' % (value, period)
-    return query.replace('\n', ' ')
-
-
-def handle_md5(value, period):
-    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
-(from (binary user device execution)
-(where binary (eq hash (md5 %s)))
-(between now-%s now))
-(limit 1000)
-    ''' % (value, period)
-    return query.replace('\n', ' ')
-
-
-def handle_domain(value, period):
-    query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths)
-(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic))
-(from (web_request device user binary executable destination domain port)
-(where domain (eq name(string %s)))
-(between now-%s now))
-(limit 1000)
-    ''' % (value, period)
-    return query.replace('\n', ' ')
-
-
-handlers = {
-    'sha1': handle_sha1,
-    'sha256': handle_sha256,
-    'md5': handle_md5,
-    'domain': handle_domain
-}
-
-
-def handler(q=False):
-    if q is False:
-        return False
-    r = {'results': []}
-    request = json.loads(q)
-    config = request.get("config", {"Period": ""})
-    output = ''
-
-    for event in request["data"]:
-        for attribute in event["Attribute"]:
-            if attribute['type'] in types_to_use:
-                output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
-    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
-    return r
-
-
-def introspection():
-    modulesetup = {}
-    try:
-        responseType
-        modulesetup['responseType'] = responseType
-    except NameError:
-        pass
-    try:
-        userConfig
-        modulesetup['userConfig'] = userConfig
-    except NameError:
-        pass
-    try:
-        outputFileExtension
-        modulesetup['outputFileExtension'] = outputFileExtension
-    except NameError:
-        pass
-    try:
-        inputSource
-        modulesetup['inputSource'] = inputSource
-    except NameError:
-        pass
-    return modulesetup
-
-
-def version():
-    moduleinfo['config'] = moduleconfig
-    return moduleinfo
+"""
+Export module for coverting MISP events into Nexthink NXQL queries.
+Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py
+Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation
+"""
+
+import base64
+import json
+
+misperrors = {"error": "Error"}
+
+types_to_use = ['sha1', 'sha256', 'md5', 'domain']
+
+userConfig = {
+
+}
+
+moduleconfig = ["Period"]
+inputSource = ['event']
+
+outputFileExtension = 'nxql'
+responseType = 'application/txt'
+
+moduleinfo = {
+    'version': '1.0',
+    'author': 'Julien Bachmann, Hacknowledge',
+    'description': 'Nexthink NXQL query export module',
+    'module-type': ['export'],
+    'name': 'Nexthink NXQL Export',
+    'logo': 'nexthink.svg',
+    'requirements': [],
+    'features': 'This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell',
+    'references': ['https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2'],
+    'input': 'MISP Event attributes',
+    'output': 'Nexthink NXQL queries',
+}
+
+
+def handle_sha1(value, period):
+    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
+(from (binary user device execution)
+(where binary (eq sha1 (sha1 %s)))
+(between now-%s now))
+(limit 1000)
+    ''' % (value, period)
+    return query.replace('\n', ' ')
+
+
+def handle_sha256(value, period):
+    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
+(from (binary user device execution)
+(where binary (eq sha256 (sha256 %s)))
+(between now-%s now))
+(limit 1000)
+    ''' % (value, period)
+    return query.replace('\n', ' ')
+
+
+def handle_md5(value, period):
+    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
+(from (binary user device execution)
+(where binary (eq hash (md5 %s)))
+(between now-%s now))
+(limit 1000)
+    ''' % (value, period)
+    return query.replace('\n', ' ')
+
+
+def handle_domain(value, period):
+    query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths)
+(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic))
+(from (web_request device user binary executable destination domain port)
+(where domain (eq name(string %s)))
+(between now-%s now))
+(limit 1000)
+    ''' % (value, period)
+    return query.replace('\n', ' ')
+
+
+handlers = {
+    'sha1': handle_sha1,
+    'sha256': handle_sha256,
+    'md5': handle_md5,
+    'domain': handle_domain
+}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    r = {'results': []}
+    request = json.loads(q)
+    config = request.get("config", {"Period": ""})
+    output = ''
+
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute['type'] in types_to_use:
+                output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
+    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
+    return r
+
+
+def introspection():
+    modulesetup = {}
+    try:
+        responseType
+        modulesetup['responseType'] = responseType
+    except NameError:
+        pass
+    try:
+        userConfig
+        modulesetup['userConfig'] = userConfig
+    except NameError:
+        pass
+    try:
+        outputFileExtension
+        modulesetup['outputFileExtension'] = outputFileExtension
+    except NameError:
+        pass
+    try:
+        inputSource
+        modulesetup['inputSource'] = inputSource
+    except NameError:
+        pass
+    return modulesetup
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
diff --git a/misp_modules/modules/export_mod/osqueryexport.py b/misp_modules/modules/export_mod/osqueryexport.py
index 6368875c..3022a563 100755
--- a/misp_modules/modules/export_mod/osqueryexport.py
+++ b/misp_modules/modules/export_mod/osqueryexport.py
@@ -1,115 +1,125 @@
-"""
-Export module for coverting MISP events into OSQuery queries.
-Source: https://github.com/0xmilkmix/misp-modules/blob/master/misp_modules/modules/export_mod/osqueryexport.py
-"""
-
-import base64
-import json
-import re
-
-misperrors = {"error": "Error"}
-
-types_to_use = ['regkey', 'regkey|value', 'mutex', 'windows-service-displayname', 'windows-scheduled-task', 'yara']
-
-userConfig = {
-
-}
-
-moduleconfig = []
-inputSource = ['event']
-
-outputFileExtension = 'conf'
-responseType = 'application/txt'
-
-
-moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',
-              'description': 'OSQuery query export module',
-              'module-type': ['export']}
-
-
-def handle_regkey(value):
-    rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
-    rep = dict((re.escape(k), v) for k, v in rep.items())
-    pattern = re.compile("|".join(rep.keys()))
-    value = pattern.sub(lambda m: rep[re.escape(m.group(0))], value)
-    return 'SELECT * FROM registry WHERE path LIKE \'%s\';' % value
-
-
-def handle_regkeyvalue(value):
-    key, value = value.split('|')
-    rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
-    rep = dict((re.escape(k), v) for k, v in rep.items())
-    pattern = re.compile("|".join(rep.keys()))
-    key = pattern.sub(lambda m: rep[re.escape(m.group(0))], key)
-    return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value)
-
-
-def handle_mutex(value):
-    return 'SELECT * FROM winbaseobj WHERE object_name LIKE \'%s\';' % value
-
-
-def handle_service(value):
-    return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value)
-
-
-def handle_yara(value):
-    return 'not implemented yet, not sure it\'s easily feasible w/o dropping the sig on the hosts first'
-
-
-def handle_scheduledtask(value):
-    return 'SELECT * FROM scheduled_tasks WHERE name LIKE \'%s\';' % value
-
-
-handlers = {
-    'regkey': handle_regkey,
-    'regkey|value': handle_regkeyvalue,
-    'mutex': handle_mutex,
-    'windows-service-displayname': handle_service,
-    'windows-scheduled-task': handle_scheduledtask,
-    'yara': handle_yara
-}
-
-
-def handler(q=False):
-    if q is False:
-        return False
-    r = {'results': []}
-    request = json.loads(q)
-    output = ''
-
-    for event in request["data"]:
-        for attribute in event["Attribute"]:
-            if attribute['type'] in types_to_use:
-                output = output + handlers[attribute['type']](attribute['value']) + '\n'
-    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
-    return r
-
-
-def introspection():
-    modulesetup = {}
-    try:
-        responseType
-        modulesetup['responseType'] = responseType
-    except NameError:
-        pass
-    try:
-        userConfig
-        modulesetup['userConfig'] = userConfig
-    except NameError:
-        pass
-    try:
-        outputFileExtension
-        modulesetup['outputFileExtension'] = outputFileExtension
-    except NameError:
-        pass
-    try:
-        inputSource
-        modulesetup['inputSource'] = inputSource
-    except NameError:
-        pass
-    return modulesetup
-
-
-def version():
-    moduleinfo['config'] = moduleconfig
-    return moduleinfo
+"""
+Export module for coverting MISP events into OSQuery queries.
+Source: https://github.com/0xmilkmix/misp-modules/blob/master/misp_modules/modules/export_mod/osqueryexport.py
+"""
+
+import base64
+import json
+import re
+
+misperrors = {"error": "Error"}
+
+types_to_use = ['regkey', 'regkey|value', 'mutex', 'windows-service-displayname', 'windows-scheduled-task', 'yara']
+
+userConfig = {
+
+}
+
+moduleconfig = []
+inputSource = ['event']
+
+outputFileExtension = 'conf'
+responseType = 'application/txt'
+
+
+moduleinfo = {
+    'version': '1.0',
+    'author': 'Julien Bachmann, Hacknowledge',
+    'description': 'OSQuery export of a MISP event.',
+    'module-type': ['export'],
+    'name': 'OSQuery Export',
+    'logo': 'osquery.png',
+    'requirements': [],
+    'features': 'This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.',
+    'references': [],
+    'input': 'MISP Event attributes',
+    'output': 'osquery SQL queries',
+}
+
+
+def handle_regkey(value):
+    rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
+    rep = dict((re.escape(k), v) for k, v in rep.items())
+    pattern = re.compile("|".join(rep.keys()))
+    value = pattern.sub(lambda m: rep[re.escape(m.group(0))], value)
+    return 'SELECT * FROM registry WHERE path LIKE \'%s\';' % value
+
+
+def handle_regkeyvalue(value):
+    key, value = value.split('|')
+    rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
+    rep = dict((re.escape(k), v) for k, v in rep.items())
+    pattern = re.compile("|".join(rep.keys()))
+    key = pattern.sub(lambda m: rep[re.escape(m.group(0))], key)
+    return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value)
+
+
+def handle_mutex(value):
+    return 'SELECT * FROM winbaseobj WHERE object_name LIKE \'%s\';' % value
+
+
+def handle_service(value):
+    return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value)
+
+
+def handle_yara(value):
+    return 'not implemented yet, not sure it\'s easily feasible w/o dropping the sig on the hosts first'
+
+
+def handle_scheduledtask(value):
+    return 'SELECT * FROM scheduled_tasks WHERE name LIKE \'%s\';' % value
+
+
+handlers = {
+    'regkey': handle_regkey,
+    'regkey|value': handle_regkeyvalue,
+    'mutex': handle_mutex,
+    'windows-service-displayname': handle_service,
+    'windows-scheduled-task': handle_scheduledtask,
+    'yara': handle_yara
+}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    r = {'results': []}
+    request = json.loads(q)
+    output = ''
+
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute['type'] in types_to_use:
+                output = output + handlers[attribute['type']](attribute['value']) + '\n'
+    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
+    return r
+
+
+def introspection():
+    modulesetup = {}
+    try:
+        responseType
+        modulesetup['responseType'] = responseType
+    except NameError:
+        pass
+    try:
+        userConfig
+        modulesetup['userConfig'] = userConfig
+    except NameError:
+        pass
+    try:
+        outputFileExtension
+        modulesetup['outputFileExtension'] = outputFileExtension
+    except NameError:
+        pass
+    try:
+        inputSource
+        modulesetup['inputSource'] = inputSource
+    except NameError:
+        pass
+    return modulesetup
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
diff --git a/misp_modules/modules/export_mod/pdfexport.py b/misp_modules/modules/export_mod/pdfexport.py
index 44b3bc9e..53ea17d7 100755
--- a/misp_modules/modules/export_mod/pdfexport.py
+++ b/misp_modules/modules/export_mod/pdfexport.py
@@ -8,11 +8,20 @@ from pymisp.tools import reportlab_generator
 
 misperrors = {'error': 'Error'}
 
-moduleinfo = {'version': '2',
-              'author': 'Vincent Falconieri (prev. Raphaël Vinot)',
-              'description': 'Simple export to PDF',
-              'module-type': ['export'],
-              'require_standard_format': True}
+moduleinfo = {
+    'version': '2',
+    'author': 'Vincent Falconieri (prev. Raphaël Vinot)',
+    'description': 'Simple export of a MISP event to PDF.',
+    'module-type': ['export'],
+    'name': 'Event to PDF Export',
+    'require_standard_format': True,
+    'logo': '',
+    'requirements': ['PyMISP', 'reportlab'],
+    'features': "The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.\n  'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata\n  'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event\n  'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.\n  'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !\n  'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.\n  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option ",
+    'references': ['https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html'],
+    'input': 'MISP Event',
+    'output': 'MISP Event in a PDF file.',
+}
 
 # config fields that your code expects from the site admin
 moduleconfig = ["MISP_base_url_for_dynamic_link", "MISP_name_for_metadata", "Activate_textual_description", "Activate_galaxy_description", "Activate_related_events", "Activate_internationalization_fonts", "Custom_fonts_path"]
diff --git a/misp_modules/modules/export_mod/testexport.py b/misp_modules/modules/export_mod/testexport.py
index 1fc7ff7d..e1fb6ff5 100755
--- a/misp_modules/modules/export_mod/testexport.py
+++ b/misp_modules/modules/export_mod/testexport.py
@@ -18,9 +18,19 @@ outputFileExtension = 'txt'
 responseType = 'application/txt'
 
 
-moduleinfo = {'version': '0.1', 'author': 'Andras Iklody',
-              'description': 'Skeleton export module',
-              'module-type': ['export']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Andras Iklody',
+    'description': 'Skeleton export module.',
+    'name': 'Test Export',
+    'module-type': ['export'],
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 
 def handler(q=False):
diff --git a/misp_modules/modules/export_mod/threatStream_misp_export.py b/misp_modules/modules/export_mod/threatStream_misp_export.py
index a9f7f06e..68c710f3 100755
--- a/misp_modules/modules/export_mod/threatStream_misp_export.py
+++ b/misp_modules/modules/export_mod/threatStream_misp_export.py
@@ -1,107 +1,114 @@
-"""
-Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
-Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
-"""
-
-import base64
-import csv
-import io
-import json
-import logging
-
-
-misperrors = {"error": "Error"}
-
-moduleinfo = {
-    "version": "1.0",
-    "author": "Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT",
-    "description": "Export a structured CSV file for uploading to ThreatStream",
-    "module-type": ["export"]
-}
-
-
-moduleconfig = []
-
-
-# Map of MISP fields => ThreatStream itypes, you can modify this to your liking
-fieldmap = {
-    "domain": "mal_domain",
-    "hostname": "mal_domain",
-    "ip-src": "mal_ip",
-    "ip-dst": "mal_ip",
-    "email-src": "phish_email",
-    "url": "mal_url",
-    "md5": "mal_md5",
-}
-
-# combine all the MISP fields from fieldmap into one big list
-mispattributes = {
-    "input": list(fieldmap.keys())
-}
-
-
-def handler(q=False):
-    """
-    Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
-    Input
-        q: Query dictionary
-    """
-    if q is False or not q:
-        return False
-
-    request = json.loads(q)
-
-    response = io.StringIO()
-    writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
-    writer.writeheader()
-
-    # start parsing MISP data
-    for event in request["data"]:
-        for attribute in event["Attribute"]:
-            if attribute["type"] in mispattributes["input"]:
-                logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
-                if "|" in attribute["type"]:
-                    # if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
-                    indicators = tuple(attribute["value"].split("|"))
-                    ts_types = tuple(fieldmap[attribute["type"]].split("|"))
-                    for i, indicator in enumerate(indicators):
-                        writer.writerow({
-                            "value": indicator,
-                            "itype": ts_types[i],
-                            "tags": attribute["comment"]
-                        })
-                else:
-                    writer.writerow({
-                        "itype": fieldmap[attribute["type"]],
-                        "value": attribute["value"],
-                        "tags": attribute["comment"]
-                    })
-
-    return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}
-
-
-def introspection():
-    """
-    Relay the supported attributes to MISP.
-    No Input
-    Output
-        Dictionary of supported MISP attributes
-    """
-    modulesetup = {
-        "responseType": "application/txt",
-        "outputFileExtension": "csv",
-        "userConfig": {},
-        "inputSource": []
-    }
-    return modulesetup
-
-
-def version():
-    """
-    Relay module version and associated metadata to MISP.
-    No Input
-    Output
-        moduleinfo: metadata output containing all potential configuration values
-    """
-    moduleinfo["config"] = moduleconfig
-    return moduleinfo
+"""
+Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
+Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
+"""
+
+import base64
+import csv
+import io
+import json
+import logging
+
+
+misperrors = {"error": "Error"}
+
+moduleinfo = {
+    'version': '1.0',
+    'author': 'Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT',
+    'description': 'Module to export a structured CSV file for uploading to threatStream.',
+    'module-type': ['export'],
+    'name': 'ThreatStream Export',
+    'logo': 'threatstream.png',
+    'requirements': ['csv'],
+    'features': 'The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream.',
+    'references': ['https://www.anomali.com/platform/threatstream', 'https://github.com/threatstream'],
+    'input': 'MISP Event attributes',
+    'output': 'ThreatStream CSV format file',
+}
+
+
+moduleconfig = []
+
+
+# Map of MISP fields => ThreatStream itypes, you can modify this to your liking
+fieldmap = {
+    "domain": "mal_domain",
+    "hostname": "mal_domain",
+    "ip-src": "mal_ip",
+    "ip-dst": "mal_ip",
+    "email-src": "phish_email",
+    "url": "mal_url",
+    "md5": "mal_md5",
+}
+
+# combine all the MISP fields from fieldmap into one big list
+mispattributes = {
+    "input": list(fieldmap.keys())
+}
+
+
+def handler(q=False):
+    """
+    Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
+    Input
+        q: Query dictionary
+    """
+    if q is False or not q:
+        return False
+
+    request = json.loads(q)
+
+    response = io.StringIO()
+    writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
+    writer.writeheader()
+
+    # start parsing MISP data
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute["type"] in mispattributes["input"]:
+                logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
+                if "|" in attribute["type"]:
+                    # if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
+                    indicators = tuple(attribute["value"].split("|"))
+                    ts_types = tuple(fieldmap[attribute["type"]].split("|"))
+                    for i, indicator in enumerate(indicators):
+                        writer.writerow({
+                            "value": indicator,
+                            "itype": ts_types[i],
+                            "tags": attribute["comment"]
+                        })
+                else:
+                    writer.writerow({
+                        "itype": fieldmap[attribute["type"]],
+                        "value": attribute["value"],
+                        "tags": attribute["comment"]
+                    })
+
+    return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}
+
+
+def introspection():
+    """
+    Relay the supported attributes to MISP.
+    No Input
+    Output
+        Dictionary of supported MISP attributes
+    """
+    modulesetup = {
+        "responseType": "application/txt",
+        "outputFileExtension": "csv",
+        "userConfig": {},
+        "inputSource": []
+    }
+    return modulesetup
+
+
+def version():
+    """
+    Relay module version and associated metadata to MISP.
+    No Input
+    Output
+        moduleinfo: metadata output containing all potential configuration values
+    """
+    moduleinfo["config"] = moduleconfig
+    return moduleinfo
diff --git a/misp_modules/modules/export_mod/threat_connect_export.py b/misp_modules/modules/export_mod/threat_connect_export.py
index 0b51fb78..a86240c0 100644
--- a/misp_modules/modules/export_mod/threat_connect_export.py
+++ b/misp_modules/modules/export_mod/threat_connect_export.py
@@ -13,10 +13,17 @@ import logging
 misperrors = {"error": "Error"}
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "CenturyLink CIRT",
-    "description": "Export a structured CSV file for uploading to ThreatConnect",
-    "module-type": ["export"]
+    'version': '0.1',
+    'author': 'CenturyLink CIRT',
+    'description': 'Module to export a structured CSV file for uploading to ThreatConnect.',
+    'module-type': ['export'],
+    'name': 'ThreadConnect Export',
+    'logo': 'threatconnect.png',
+    'requirements': ['csv'],
+    'features': 'The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.\nUsers should then provide, as module configuration, the source of data they export, because it is required by the output format.',
+    'references': ['https://www.threatconnect.com'],
+    'input': 'MISP Event attributes',
+    'output': 'ThreatConnect CSV format file',
 }
 
 # config fields expected from the MISP administrator
diff --git a/misp_modules/modules/export_mod/virustotal_collections.py b/misp_modules/modules/export_mod/virustotal_collections.py
index 28a79ef2..9da3bb5d 100644
--- a/misp_modules/modules/export_mod/virustotal_collections.py
+++ b/misp_modules/modules/export_mod/virustotal_collections.py
@@ -43,7 +43,14 @@ moduleinfo = {
     'version': '1.0',
     'author': 'VirusTotal',
     'description': 'Creates a VT Collection from an event iocs.',
-    'module-type': ['export']
+    'module-type': ['export'],
+    'name': 'VirusTotal Collections Export',
+    'logo': 'virustotal.png',
+    'requirements': ['An access to the VirusTotal API (apikey).'],
+    'features': 'This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button.',
+    'references': ['https://www.virustotal.com/', 'https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html'],
+    'input': 'A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute.',
+    'output': 'A VirusTotal collection in VT.',
 }
 
 moduleconfig = [
diff --git a/misp_modules/modules/export_mod/vt_graph.py b/misp_modules/modules/export_mod/vt_graph.py
index 70c1952c..7f2125c2 100644
--- a/misp_modules/modules/export_mod/vt_graph.py
+++ b/misp_modules/modules/export_mod/vt_graph.py
@@ -12,8 +12,15 @@ misperrors = {
 moduleinfo = {
     'version': '0.1',
     'author': 'VirusTotal',
-    'description': 'Send event to VirusTotal Graph',
-    'module-type': ['export']
+    'description': 'This module is used to create a VirusTotal Graph from a MISP event.',
+    'module-type': ['export'],
+    'name': 'VirusTotal Graph Export',
+    'logo': 'virustotal.png',
+    'requirements': ['vt_graph_api, the python library to query the VirusTotal graph API'],
+    'features': 'The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.\n\nOnce the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.',
+    'references': ['https://www.virustotal.com/gui/graph-overview'],
+    'input': 'A MISP event.',
+    'output': 'Link of the VirusTotal Graph created for the event.',
 }
 mispattributes = {
     'input': [
diff --git a/misp_modules/modules/export_mod/yara_export.py b/misp_modules/modules/export_mod/yara_export.py
index 91036ccc..ebcbfcde 100644
--- a/misp_modules/modules/export_mod/yara_export.py
+++ b/misp_modules/modules/export_mod/yara_export.py
@@ -24,9 +24,19 @@ outputFileExtension = 'yara'
 responseType = 'text/plain'
 
 
-moduleinfo = {'version': '0.1', 'author': 'Christophe Vandeplas',
-              'description': 'Yara export module',
-              'module-type': ['export']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Christophe Vandeplas',
+    'description': 'This module is used to export MISP events to YARA.',
+    'module-type': ['export'],
+    'name': 'YARA Rule Export',
+    'logo': 'yara.png',
+    'requirements': ['yara-python python library'],
+    'features': 'The module will dynamically generate YARA rules for attributes that are marked as to IDS. Basic metadata about the event is added to the rule.\nAttributes that are already YARA rules are also exported, with a rewritten rule name.',
+    'references': ['https://virustotal.github.io/yara/'],
+    'input': 'Attributes and Objects.',
+    'output': 'A YARA file that can be used with the YARA scanning tool.',
+}
 
 
 class YaraRule():
@@ -109,7 +119,7 @@ def handle_combined(yara_rules: list, yr: YaraRule, attribute: dict):
         pass
 
 
-def handle_yara(yara_rules: list, yr: YaraRule, attribute):
+def handle_yara(yara_rules: list, yr: YaraRule, attribute: dict):
     # do not check for to_ids, as we want to always export the Yara rule
     # split out as a separate rule, and rewrite the rule name
     value = re.sub('^[ \t]*rule ', 'rule MISP_e{}_'.format(attribute['event_id']), attribute['value'], flags=re.MULTILINE)
@@ -141,9 +151,8 @@ def handle_yara(yara_rules: list, yr: YaraRule, attribute):
     # compile the yara rule to confirm it's validity
     try:
         yara.compile(source=value)
-    except yara.SyntaxError:
-        return
-    except yara.Error:
+    except Exception:
+        # skip rules that do not compile
         return
 
     # all checks done, add the rule
@@ -151,13 +160,13 @@ def handle_yara(yara_rules: list, yr: YaraRule, attribute):
     return
 
 
-def handle_malware_sample(yara_rules: list, yr: YaraRule, attribute):
+def handle_malware_sample(yara_rules: list, yr: YaraRule, attribute: dict):
     if not attribute['to_ids']:  # skip non IDS attributes
         return
     handle_combined(yara_rules, yr, 'filename|md5', attribute['value'])
 
 
-def handle_meta(yara_rules: list, yr: YaraRule, attribute):
+def handle_meta(yara_rules: list, yr: YaraRule, attribute: dict):
     yr.add_meta(attribute['type'], attribute['value'])
     return
 
diff --git a/misp_modules/modules/import_mod/cof2misp.py b/misp_modules/modules/import_mod/cof2misp.py
index 841da09d..79426544 100755
--- a/misp_modules/modules/import_mod/cof2misp.py
+++ b/misp_modules/modules/import_mod/cof2misp.py
@@ -37,9 +37,19 @@ mispattributes = {'inputSource': ['file'], 'output': ['MISP objects'],
                   'format': 'misp_standard'}
 
 
-moduleinfo = {'version': '0.3', 'author': 'Aaron Kaplan',
-              'description': 'Module to import the passive DNS Common Output Format (COF) and merge as a MISP objet into a MISP event.',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.3',
+    'author': 'Aaron Kaplan',
+    'description': 'Passive DNS Common Output Format (COF) MISP importer',
+    'module-type': ['import'],
+    'name': 'PDNS COF Importer',
+    'requirements': ['PyMISP'],
+    'features': 'Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input.',
+    'references': ['https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html'],
+    'input': 'Passive DNS output in Common Output Format (COF)',
+    'output': 'MISP objects',
+    'logo': '',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/import_mod/csvimport.py b/misp_modules/modules/import_mod/csvimport.py
index 8f4a643d..52d3cff6 100644
--- a/misp_modules/modules/import_mod/csvimport.py
+++ b/misp_modules/modules/import_mod/csvimport.py
@@ -4,9 +4,19 @@ import io
 import base64
 
 misperrors = {'error': 'Error'}
-moduleinfo = {'version': '0.2', 'author': 'Christian Studer',
-              'description': 'Import Attributes from a csv file.',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Christian Studer',
+    'module-type': ['import'],
+    'name': 'CSV Import',
+    'description': 'Module to import MISP attributes from a csv file.',
+    'requirements': ['PyMISP'],
+    'features': "In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.\n\nThis header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').\n\nIf the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.",
+    'references': ['https://tools.ietf.org/html/rfc4180', 'https://tools.ietf.org/html/rfc7111'],
+    'input': 'CSV format file.',
+    'output': 'MISP Event attributes',
+    'logo': '',
+}
 moduleconfig = []
 userConfig = {
     'header': {
diff --git a/misp_modules/modules/import_mod/cuckooimport.py b/misp_modules/modules/import_mod/cuckooimport.py
index 3ed52bda..626f1cbc 100755
--- a/misp_modules/modules/import_mod/cuckooimport.py
+++ b/misp_modules/modules/import_mod/cuckooimport.py
@@ -17,10 +17,15 @@ misperrors = {'error': 'Error'}
 moduleinfo = {
     'version': '1.1',
     'author': 'Pierre-Jean Grenier',
-    'description': "Import a Cuckoo archive (zipfile or bzip2 tarball), "
-                   "either downloaded manually or exported from the "
-                   "API (/tasks/report/{task_id}/all).",
     'module-type': ['import'],
+    'name': 'Cuckoo Sandbox Import',
+    'description': 'Module to import Cuckoo JSON.',
+    'logo': 'cuckoo.png',
+    'requirements': [],
+    'features': 'Import a Cuckoo archive (zipfile or bzip2 tarball), either downloaded manually or exported from the API (/tasks/report/<task_id>/all).',
+    'references': ['https://cuckoosandbox.org/', 'https://github.com/cuckoosandbox/cuckoo'],
+    'input': 'Cuckoo JSON file',
+    'output': 'MISP Event attributes',
 }
 
 moduleconfig = []
diff --git a/misp_modules/modules/import_mod/email_import.py b/misp_modules/modules/import_mod/email_import.py
index bad4f6a6..9ad65cc8 100644
--- a/misp_modules/modules/import_mod/email_import.py
+++ b/misp_modules/modules/import_mod/email_import.py
@@ -18,10 +18,19 @@ misperrors = {'error': 'Error'}
 mispattributes = {'inputSource': ['file'], 'output': ['MISP objects'],
                   'format': 'misp_standard'}
 
-moduleinfo = {'version': '0.2',
-              'author': 'Seamus Tuohy, Raphaël Vinot',
-              'description': 'Email import module for MISP',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Seamus Tuohy, Raphaël Vinot',
+    'description': 'Email import module for MISP',
+    'module-type': ['import'],
+    'name': 'Email Import',
+    'requirements': [],
+    'features': 'This module can be used to import e-mail text as well as attachments and urls.\n3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.',
+    'references': [],
+    'input': 'E-mail file',
+    'output': 'MISP Event attributes',
+    'logo': '',
+}
 
 # unzip_attachments : Unzip all zip files that are not password protected
 # guess_zip_attachment_passwords : This attempts to unzip all password protected zip files using all the strings found in the email body and subject
diff --git a/misp_modules/modules/import_mod/goamlimport.py b/misp_modules/modules/import_mod/goamlimport.py
index 79b4cfe8..afb02668 100644
--- a/misp_modules/modules/import_mod/goamlimport.py
+++ b/misp_modules/modules/import_mod/goamlimport.py
@@ -5,9 +5,19 @@ import xml.etree.ElementTree as ET
 from pymisp import MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
-moduleinfo = {'version': 1, 'author': 'Christian Studer',
-              'description': 'Import from GoAML',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': 1,
+    'author': 'Christian Studer',
+    'description': 'Module to import MISP objects about financial transactions from GoAML files.',
+    'module-type': ['import'],
+    'name': 'GoAML Import',
+    'logo': 'goAML.jpg',
+    'requirements': ['PyMISP'],
+    'features': 'Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.',
+    'references': 'http://goaml.unodc.org/',
+    'input': 'GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).',
+    'output': 'MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.',
+}
 moduleconfig = []
 mispattributes = {'inputSource': ['file'], 'output': ['MISP objects'],
                   'format': 'misp_standard'}
diff --git a/misp_modules/modules/import_mod/import_blueprint.py b/misp_modules/modules/import_mod/import_blueprint.py
index 2758f834..30a72106 100755
--- a/misp_modules/modules/import_mod/import_blueprint.py
+++ b/misp_modules/modules/import_mod/import_blueprint.py
@@ -31,14 +31,23 @@ mispattributes = {
 }
 
 
-moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
-              'description': 'Generic blueprint to be copy-pasted to quickly boostrap creation of import module.',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sami Mokaddem',
+    'description': 'Generic blueprint to be copy-pasted to quickly boostrap creation of import module.',
+    'module-type': ['import'],
+    'name': 'Import Blueprint',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 moduleconfig = []
 
 
-
 def generateData(event, data, config):
     # attr = MISPAttribute()
     # attr.from_dict(**{
diff --git a/misp_modules/modules/import_mod/joe_import.py b/misp_modules/modules/import_mod/joe_import.py
index ce566983..68b41ee0 100644
--- a/misp_modules/modules/import_mod/joe_import.py
+++ b/misp_modules/modules/import_mod/joe_import.py
@@ -17,9 +17,19 @@ userConfig = {
 
 inputSource = ['file']
 
-moduleinfo = {'version': '0.2', 'author': 'Christian Studer',
-              'description': 'Import for Joe Sandbox JSON reports',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Christian Studer',
+    'description': 'A module to import data from a Joe Sandbox analysis json report.',
+    'module-type': ['import'],
+    'name': 'Joe Sandbox Import',
+    'logo': 'joesandbox.png',
+    'requirements': [],
+    'features': 'Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report.',
+    'references': ['https://www.joesecurity.org', 'https://www.joesandbox.com/'],
+    'input': 'Json report of a Joe Sandbox analysis.',
+    'output': 'MISP attributes & objects parsed from the analysis report.',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/import_mod/lastline_import.py b/misp_modules/modules/import_mod/lastline_import.py
index 3307852f..7acd4f8a 100644
--- a/misp_modules/modules/import_mod/lastline_import.py
+++ b/misp_modules/modules/import_mod/lastline_import.py
@@ -24,10 +24,17 @@ userConfig = {
 inputSource = []
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "Stefano Ortolani",
-    "description": "Import a Lastline report from an analysis link.",
-    "module-type": ["import"]
+    'version': '0.1',
+    'author': 'Stefano Ortolani',
+    'description': 'Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nModule to import and parse reports from Lastline analysis links.',
+    'module-type': ['import'],
+    'name': 'Lastline Import',
+    'logo': 'lastline.png',
+    'requirements': [],
+    'features': 'The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) expansion module.',
+    'references': ['https://www.lastline.com'],
+    'input': 'Link to a Lastline analysis.',
+    'output': 'MISP attributes and objects parsed from the analysis report.',
 }
 
 moduleconfig = [
diff --git a/misp_modules/modules/import_mod/mispjson.py b/misp_modules/modules/import_mod/mispjson.py
index a9c22267..e42a95c3 100755
--- a/misp_modules/modules/import_mod/mispjson.py
+++ b/misp_modules/modules/import_mod/mispjson.py
@@ -6,9 +6,19 @@ userConfig = {}
 
 inputSource = ['file']
 
-moduleinfo = {'version': '0.1', 'author': 'Richard van den Berg',
-              'description': 'MISP JSON format import module for merging MISP events',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Richard van den Berg',
+    'description': 'Module to import MISP JSON format for merging MISP events.',
+    'module-type': ['import'],
+    'name': 'MISP JSON Import',
+    'logo': '',
+    'requirements': [],
+    'features': 'The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.',
+    'references': [],
+    'input': 'MISP Event',
+    'output': 'MISP Event attributes',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/import_mod/ocr.py b/misp_modules/modules/import_mod/ocr.py
index 2e82cd2f..68c7e6b4 100755
--- a/misp_modules/modules/import_mod/ocr.py
+++ b/misp_modules/modules/import_mod/ocr.py
@@ -18,9 +18,19 @@ userConfig = {}
 
 inputSource = ['file']
 
-moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
-              'description': 'Optical Character Recognition (OCR) module for MISP',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Alexandre Dulaunoy',
+    'description': 'Optical Character Recognition (OCR) module for MISP.',
+    'module-type': ['import'],
+    'name': 'OCR Import',
+    'logo': '',
+    'requirements': [],
+    'features': 'The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.',
+    'references': [],
+    'input': 'Image',
+    'output': 'freetext MISP attribute',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/import_mod/openiocimport.py b/misp_modules/modules/import_mod/openiocimport.py
index 074a4649..f1946bd5 100755
--- a/misp_modules/modules/import_mod/openiocimport.py
+++ b/misp_modules/modules/import_mod/openiocimport.py
@@ -15,9 +15,19 @@ userConfig = {'not save ioc': {'type': 'Boolean',
 
 inputSource = ['file']
 
-moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
-              'description': 'Import OpenIOC package',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Raphaël Vinot',
+    'description': 'Module to import OpenIOC packages.',
+    'module-type': ['import'],
+    'name': 'OpenIOC Import',
+    'logo': '',
+    'requirements': ['PyMISP'],
+    'features': 'The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.',
+    'references': ['https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html'],
+    'input': 'OpenIOC packages',
+    'output': 'MISP Event attributes',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/import_mod/taxii21.py b/misp_modules/modules/import_mod/taxii21.py
index d03b85cb..2991497a 100644
--- a/misp_modules/modules/import_mod/taxii21.py
+++ b/misp_modules/modules/import_mod/taxii21.py
@@ -23,9 +23,19 @@ class ConfigError(Exception):
 
 misperrors = {'error': 'Error'}
 
-moduleinfo = {'version': '0.1', 'author': 'Abc',
-              'description': 'Import content from a TAXII 2.1 server',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Abc',
+    'description': 'Import content from a TAXII 2.1 server',
+    'module-type': ['import'],
+    'name': 'TAXII 2.1 Import',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 mispattributes = {
     'inputSource': [],
diff --git a/misp_modules/modules/import_mod/testimport.py b/misp_modules/modules/import_mod/testimport.py
index 891b3a68..818d7217 100755
--- a/misp_modules/modules/import_mod/testimport.py
+++ b/misp_modules/modules/import_mod/testimport.py
@@ -25,9 +25,19 @@ userConfig = {
 
 inputSource = ['file', 'paste']
 
-moduleinfo = {'version': '0.2', 'author': 'Andras Iklody',
-              'description': 'Simple CSV import tool with mapable columns',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.2',
+    'author': 'Andras Iklody',
+    'description': 'Simple CSV import tool with mapable columns',
+    'module-type': ['import'],
+    'name': 'CSV Test Import',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 moduleconfig = []
 
diff --git a/misp_modules/modules/import_mod/threatanalyzer_import.py b/misp_modules/modules/import_mod/threatanalyzer_import.py
index cbb9fefe..0d764320 100755
--- a/misp_modules/modules/import_mod/threatanalyzer_import.py
+++ b/misp_modules/modules/import_mod/threatanalyzer_import.py
@@ -15,9 +15,19 @@ misperrors = {'error': 'Error'}
 userConfig = {}
 inputSource = ['file']
 
-moduleinfo = {'version': '0.10', 'author': 'Christophe Vandeplas',
-              'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.10',
+    'author': 'Christophe Vandeplas',
+    'description': 'Module to import ThreatAnalyzer archive.zip / analysis.json files.',
+    'module-type': ['import'],
+    'name': 'ThreadAnalyzer Sandbox Import',
+    'logo': '',
+    'requirements': [],
+    'features': 'The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.\nThere is by the way no special feature for users to make the module work.',
+    'references': ['https://www.threattrack.com/malware-analysis.aspx'],
+    'input': 'ThreatAnalyzer format file',
+    'output': 'MISP Event attributes',
+}
 
 moduleconfig = []
 log = logging.getLogger('misp-modules')
diff --git a/misp_modules/modules/import_mod/url_import.py b/misp_modules/modules/import_mod/url_import.py
index 35b1f5eb..1405f7e1 100755
--- a/misp_modules/modules/import_mod/url_import.py
+++ b/misp_modules/modules/import_mod/url_import.py
@@ -18,14 +18,25 @@ mispattributes = {
 }
 
 
-moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
-              'description': 'Generic blueprint to be copy-pasted to quickly boostrap creation of import module.',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.1',
+    'author': 'Sami Mokaddem',
+    'description': 'Simple URL import tool with Faup',
+    'module-type': ['import'],
+    'name': 'URL Import',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
+}
 
 moduleconfig = []
 
 fp = Faup()
 
+
 def generateData(event, data, config):
     for url in data.splitlines():
         fp.decode(url)
diff --git a/misp_modules/modules/import_mod/vmray_import.py b/misp_modules/modules/import_mod/vmray_import.py
index 8385634e..72d58a8a 100644
--- a/misp_modules/modules/import_mod/vmray_import.py
+++ b/misp_modules/modules/import_mod/vmray_import.py
@@ -20,9 +20,19 @@ from _vmray.parser import VMRayParser, VMRayParseError
 
 misperrors = {'error': 'Error'}
 
-moduleinfo = {'version': '0.4', 'author': 'Jens Thom (VMRay), Koen van Impe',
-              'description': 'Import VMRay analysis results from a server',
-              'module-type': ['import']}
+moduleinfo = {
+    'version': '0.4',
+    'author': 'Jens Thom (VMRay), Koen van Impe',
+    'description': 'Module to import VMRay (VTI) results.',
+    'module-type': ['import'],
+    'name': 'VMRay API Import',
+    'logo': 'vmray.png',
+    'requirements': ['vmray_rest_api'],
+    'features': 'The module imports MISP Attributes from VMRay format, using the VMRay api.\nUsers should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.',
+    'references': ['https://www.vmray.com/'],
+    'input': 'VMRay format',
+    'output': 'MISP Event attributes',
+}
 
 mispattributes = {
     'inputSource': [],
diff --git a/misp_modules/modules/import_mod/vmray_summary_json_import.py b/misp_modules/modules/import_mod/vmray_summary_json_import.py
index e7f4985f..f0e96d5b 100644
--- a/misp_modules/modules/import_mod/vmray_summary_json_import.py
+++ b/misp_modules/modules/import_mod/vmray_summary_json_import.py
@@ -8,10 +8,17 @@ misperrors = {'error': 'Error'}
 moduleconfig = ["disable_tags"]
 
 moduleinfo = {
-    "version": "0.1",
-    "author": "VMRay",
-    "description": "Import a VMRay Summary JSON report.",
-    "module-type": ["import"],
+    'version': '0.1',
+    'author': 'VMRay',
+    'description': 'Import a VMRay Summary JSON report.',
+    'module-type': ['import'],
+    'name': 'VMRay Summary JSON Import',
+    'logo': '',
+    'requirements': [],
+    'features': '',
+    'references': [],
+    'input': '',
+    'output': '',
 }
 
 mispattributes = {
diff --git a/mkdocs.yml b/mkdocs.yml
index b1dac326..29f20f4b 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -16,7 +16,7 @@ edit_uri: edit/main/docs/
 use_directory_urls: true
 
 # Copyright
-copyright: "Copyright &copy; 2019-2023 MISP Project"
+copyright: "Copyright &copy; 2019-2024 MISP Project"
 
 # Options
 extra:
@@ -87,6 +87,7 @@ nav:
       - Expansion Modules: expansion.md
       - Export Modules: export_mod.md
       - Import Modules: import_mod.md
+      - Action Modules: action_mod.md
     - Install Guides: install.md
     - Contribute: contribute.md
     #   - 'Ubuntu 18.04': 'INSTALL.ubuntu1804.md'
diff --git a/tests/test.py b/tests/test.py
index 13356694..055a9c6d 100644
--- a/tests/test.py
+++ b/tests/test.py
@@ -14,6 +14,9 @@ from email.mime.application import MIMEApplication
 from email.mime.text import MIMEText
 from email.mime.multipart import MIMEMultipart
 from email.header import Header
+from pathlib import Path
+import importlib.util
+import sys
 
 
 class TestModules(unittest.TestCase):
@@ -28,6 +31,65 @@ class TestModules(unittest.TestCase):
         print(response.json())
         response.connection.close()
 
+    def test_introspection_module_init(self):
+        """checks if all modules are offered through the misp-modules service"""
+        try:
+            response = requests.get(self.url + "modules")
+            modules_api = [module["name"] for module in response.json()]
+            issues_found = []
+            root_path = Path(__file__).resolve().parent.parent
+            modules_path = root_path / 'misp_modules' / 'modules'
+            for d in os.listdir(modules_path):
+                if d.startswith('__'):
+                    continue
+                mod_d_path = modules_path / d
+                module_files = [file[:-3] for file in os.listdir(mod_d_path) if file.endswith(".py") if file not in ['__init__.py', 'testimport.py']]
+                for module in module_files:
+                    if module not in modules_api:
+                        issues_found.append(f"Missing module {module} in {d}/__init__.py.")
+            self.assertEqual(issues_found, [], f"Found issues: \n{'\n- '.join(issues_found)}")
+        finally:
+            response.connection.close()
+
+    def test_introspection_module_structure(self):
+        moduleinfo_template = {
+            'version': '1.0',
+            'author': '',
+            'module-type': [],
+            'name': '',
+            'description': '',
+            'logo': '',
+            'requirements': [],
+            'features': '',
+            'references': [],
+            'input': '',
+            'output': ''
+        }
+        root_path = Path(__file__).resolve().parent.parent
+        modules_path = root_path / 'misp_modules' / 'modules'
+        issues_found = []
+
+        for d in os.listdir(modules_path):
+            if d.startswith('__'):
+                continue
+
+            d_module = importlib.import_module(f"misp_modules.modules.{d}")
+            for module_name in d_module.__all__:
+                try:
+                    module_package_name = f"misp_modules.modules.{d}.{module_name}"
+                    module = importlib.import_module(module_package_name)
+                    moduleinfo = module.version()
+                    for k in moduleinfo_template.keys():
+                        if k not in moduleinfo:
+                            issues_found.append(f"Module {d}.{module_name}: Key {k} not in moduleinfo.")
+                    # sys.path.remove(str(m.parent))
+                except Exception as e:
+                    issues_found.append(f"Error loading {module_name}: {e}")
+                    continue
+
+        sys.path.remove(str(root_path / 'misp_modules' / 'lib'))
+        self.assertEqual(issues_found, [], f"Found issues: \n{'\n- '.join(issues_found)}")
+
     def test_cve(self):
         with open('tests/bodycve.json', 'r') as f:
             response = requests.post(self.url + "query", data=f.read())
@@ -78,8 +140,8 @@ class TestModules(unittest.TestCase):
 
             print("OpenIOC :: {}".format(response))
             values = [x["values"][0] for x in response["results"]]
-            assert("mrxcls.sys" in values)
-            assert("mdmcpq3.PNF" in values)
+            assert ("mrxcls.sys" in values)
+            assert ("mdmcpq3.PNF" in values)
 
     @unittest.skip("Need Rewrite")
     def test_email_headers(self):
@@ -186,7 +248,6 @@ class TestModules(unittest.TestCase):
                 self.assertEqual(attch_data,
                                  b'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-')
 
-
     @unittest.skip("Need Rewrite")
     def test_email_dont_unpack_compressed_doc_attachments(self):
         """Ensures that compressed
@@ -346,7 +407,7 @@ class TestModules(unittest.TestCase):
 
     @unittest.skip("Need Rewrite")
     def test_email_body_encoding(self):
-        query = {"module":"email_import"}
+        query = {"module": "email_import"}
         query["config"] = {"unzip_attachments": None,
                            "guess_zip_attachment_passwords": None,
                            "extract_urls": None}
@@ -364,10 +425,9 @@ class TestModules(unittest.TestCase):
                 self.assertNotIn('error', response, response.get('error', ""))
                 self.assertIn('results', response, "No server results found.")
 
-
     @unittest.skip("Need Rewrite")
     def test_email_header_proper_encoding(self):
-        query = {"module":"email_import"}
+        query = {"module": "email_import"}
         query["config"] = {"unzip_attachments": None,
                            "guess_zip_attachment_passwords": None,
                            "extract_urls": None}
@@ -432,7 +492,7 @@ class TestModules(unittest.TestCase):
 
     @unittest.skip("Need Rewrite")
     def test_email_header_malformed_encoding(self):
-        query = {"module":"email_import"}
+        query = {"module": "email_import"}
         query["config"] = {"unzip_attachments": None,
                            "guess_zip_attachment_passwords": None,
                            "extract_urls": None}
@@ -500,7 +560,7 @@ class TestModules(unittest.TestCase):
 
     @unittest.skip("Need Rewrite")
     def test_email_header_CJK_encoding(self):
-        query = {"module":"email_import"}
+        query = {"module": "email_import"}
         query["config"] = {"unzip_attachments": None,
                            "guess_zip_attachment_passwords": None,
                            "extract_urls": None}
@@ -528,7 +588,7 @@ class TestModules(unittest.TestCase):
 
     @unittest.skip("Need Rewrite")
     def test_email_malformed_header_CJK_encoding(self):
-        query = {"module":"email_import"}
+        query = {"module": "email_import"}
         query["config"] = {"unzip_attachments": None,
                            "guess_zip_attachment_passwords": None,
                            "extract_urls": None}
@@ -559,7 +619,7 @@ class TestModules(unittest.TestCase):
 
     @unittest.skip("Need Rewrite")
     def test_email_malformed_header_emoji_encoding(self):
-        query = {"module":"email_import"}
+        query = {"module": "email_import"}
         query["config"] = {"unzip_attachments": None,
                            "guess_zip_attachment_passwords": None,
                            "extract_urls": None}
@@ -600,8 +660,8 @@ class TestModules(unittest.TestCase):
         with open("tests/EICAR.com", "rb") as fp:
             eicar_mime = MIMEApplication(fp.read(), 'com')
             eicar_mime.add_header('Content-Disposition',
-                                      'attachment',
-                                      filename="Emoji Test 👍 checking this")
+                                  'attachment',
+                                  filename="Emoji Test 👍 checking this")
             message.attach(eicar_mime)
         query['data'] = decode_email(message)
         data = json.dumps(query)
@@ -615,7 +675,6 @@ class TestModules(unittest.TestCase):
                 attch_data = base64.b64decode(i["data"])
                 self.assertEqual(attch_data, b'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-')
 
-
     @unittest.skip("Need Rewrite")
     def test_email_attachment_password_in_subject(self):
         query = {"module": "email_import"}