add: More documentation on expansion modules

2018-11-19 10:29:25 +01:00 · 2018-11-19 10:29:25 +01:00 · 87e9238365
parent b778dd5e67
commit 87e9238365
8 changed files with 38 additions and 8 deletions
--- a/doc/expansion/crowdstrike_falcon.json
+++ b/doc/expansion/crowdstrike_falcon.json
@ -3,7 +3,7 @@
    "logo": "logos/crowdstrike.png",
    "requirements": ["A CrowdStrike API access (API id & key)"],
    "input": "A MISP attribute included in the following list:\n- domain\n- email-attachment\n- email-dst\n- email-reply-to\n- email-src\n- email-subject\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- mutex\n- regkey\n- sha1\n- sha256\n- uri\n- url\n- user-agent\n- whois-registrant-email\n- x509-fingerprint-md5",
-    "output": "MISP attributes fetched after the CrowdStrike API has been queried, included in the following list:\n- hostname\n- email-src\n- email-subject\n- filename\n- md5\n- sha1\n- sha256\n- ip-dst\n- ip-dst\n- mutex\n- regkey\n- url\n- user-agent\n- x509-fingerprint-md5",
+    "output": "MISP attributes mapped after the CrowdStrike API has been queried, included in the following list:\n- hostname\n- email-src\n- email-subject\n- filename\n- md5\n- sha1\n- sha256\n- ip-dst\n- ip-dst\n- mutex\n- regkey\n- url\n- user-agent\n- x509-fingerprint-md5",
    "references": ["https://www.crowdstrike.com/products/crowdstrike-falcon-faq/"],
-    "features": "This module takes a MISP attribute as input to query a CrowdStrike Falcon API, using an api_id and an apikey.\n\nThe API returns then the result of the query with some types we map into compatible types we add as MISP attributes."
+    "features": "This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported."
 }
--- a/doc/expansion/dbl_spamhaus.json
+++ b/doc/expansion/dbl_spamhaus.json
@ -1,4 +1,9 @@
 {
    "description": "Module to check Spamhaus DBL for a domain name.",
-    "logo": "logos/spamhaus.jpg"
+    "logo": "logos/spamhaus.jpg",
+    "requirements": ["dnspython3: DNS python3 library"],
+    "input": "Domain or hostname attribute.",
+    "output": "Information about the nature of the input.",
+    "references": ["https://www.spamhaus.org/faq/section/Spamhaus%20DBL"],
+    "features": "This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is.\n\nDBL then returns a response code corresponding to a certain classification of the domain we display. If the queried domain is not in the list, it is also mentionned.\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well."
 }
--- a/doc/expansion/dns.json
+++ b/doc/expansion/dns.json
@ -1,3 +1,7 @@
 {
-    "description": "A simple DNS expansion service to resolve IP address from MISP attributes."
+    "description": "A simple DNS expansion service to resolve IP address from domain MISP attributes.",
+    "requirements": ["dnspython3: DNS python3 library"],
+    "input": "Domain or hostname attribute.",
+    "output": "IP address resolving the input.",
+    "features": "The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well."
 }
--- a/doc/expansion/domaintools.json
+++ b/doc/expansion/domaintools.json
@ -1,4 +1,9 @@
 {
    "description": "DomainTools MISP expansion module.",
-    "logo": "logos/domaintools.png"
+    "logo": "logos/domaintools.png",
+    "requirements": ["Domaintools python library", "A Domaintools API access (username & apikey)"],
+    "input": "A MISP attribute included in the following list:\n- domain\n- hostname\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- whois-registrant-phone\n- ip-src\n- ip-dst",
+    "output": "MISP attributes mapped after the Domaintools API has been queried, included in the following list:\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- text\n- domain",
+    "references": ["https://www.domaintools.com/"],
+    "features": "This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported."
 }
--- a/doc/expansion/eupi.json
+++ b/doc/expansion/eupi.json
@ -1,4 +1,9 @@
 {
    "description": "A module to query the Phishing Initiative service (https://phishing-initiative.lu).",
-    "logo": "logos/eupi.png"
+    "logo": "logos/eupi.png",
+    "requirements": ["pyeupi: eupi python library", "An access to the Phishing Initiative API (apikey & url)"],
+    "input": "A domain, hostname or url MISP attribute.",
+    "output": "Text containing information about the input, resulting from the query on Phishing Initiative.",
+    "references": ["https://phishing-initiative.eu/?lang=en"],
+    "features": "This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried.\n\nPlease note that composite attributes containing domain or hostname are also supported."
 }
--- a/doc/expansion/farsight_passivedns.json
+++ b/doc/expansion/farsight_passivedns.json
@ -1,4 +1,9 @@
 {
    "description": "Module to access Farsight DNSDB Passive DNS.",
-    "logo": "logos/farsight.png"
+    "logo": "logos/farsight.png",
+    "requirements": ["An access to the Farsight Passive DNS API (apikey)"],
+    "input": "A domain, hostname or IP address MISP attribute.",
+    "output": "Text containing information about the input, resulting from the query on the Farsight Passive DNS API.",
+    "references": ["https://www.farsightsecurity.com/"],
+    "features": "This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API. The API returns then the result of the query with some information about the value queried."
 }
--- a/doc/expansion/geoip_country.json
+++ b/doc/expansion/geoip_country.json
@ -1,3 +1,9 @@
 {
-    "description": "Module to query a local copy of Maxminds Geolite database."
+    "description": "Module to query a local copy of Maxmind's Geolite database.",
+    "logo": "logos/maxmind.png",
+    "requirements": ["A local copy of Maxmind's Geolite database"],
+    "input": "An IP address MISP Attribute.",
+    "output": "Text containing information about the location of the IP address.",
+    "references": ["https://www.maxmind.com/en/home"],
+    "features": "This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address.\n\nPlease note that composite attributes domain|ip are also supported."
 }
--- a/doc/logos/maxmind.png
+++ b/doc/logos/maxmind.png