initial commit. not a working product. need to create a class to manage the MISP event and TruStar client

REQUIREMENTS

@@ -95,6 +95,7 @@ sparqlwrapper==1.8.5
 stix2-patterns==1.3.0
 tabulate==0.8.7
 tornado==6.0.4
+trustar==0.3.28
 url-normalize==1.4.1
 urlarchiver==0.2
 urllib3==1.25.8

misp_modules/modules/expansion/__init__.py

@@ -1,6 +1,7 @@
 from . import _vmray  # noqa
 import os
 import sys
+
 sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
 
 __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
@@ -16,4 +17,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
            'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
            'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
            'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
-           'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich']
+           'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
+           'trustar_enrich']

misp_modules/modules/expansion/trustar_enrich.py

@@ -0,0 +1,63 @@
+import json
+from pymisp import MISPAttribute, MISPEvent, MISPObject
+from trustar import TruStar
+
+misperrors = {'error': "Error"}
+mispattributes = {'input': ["btc", "domain","email-src", "filename", "hostname", "ip-src", "ip-dst", "malware-type", "md5", "sha1", "sha256", "url"], 'format': 'misp_standard'}
+
+moduleinfo = {'version': "0.1", 'author': "Jesse Hedden",
+              'description': "Enrich data with TruSTAR",
+              'module-type': ["hover", "expansion"]}
+
+moduleconfig = ["api_key", "api_secret", "enclave_ids"]
+
+
+def get_results(misp_event):
+    event = json.loads(misp_event.to_json())
+    results = {key: event[key] for key in ('Attribute', 'Object')}
+    return {'results': results}
+
+def parse_indicator_summary(attribute, summary):
+    misp_event = MISPEvent()
+    misp_attribute = MISPAttribute().from_dict(**attribute)
+    misp_event.add_attribute(**misp_attribute)
+
+    mapping = {'value': 'text', 'reportId': 'text', 'enclaveId': 'text', 'description': 'text'}
+
+    for item in summary.get('items'):
+        trustar_obj = MISPObject(attribute.value)
+        for key, attribute_type in mapping.items():
+            trustar_obj.add_attribute(key, attribute_type=attribute_type, value=item[key])
+        trustar_obj.add_reference(misp_attribute.uuid, 'associated-to')
+        misp_event.add_object(**trustar_obj)
+
+    return misp_event
+
+
+def handler(q=False):
+
+    if q is False:
+        return False
+
+    request = json.loads(q)
+    config = request.get('config', {})
+    if not config.get('api_key') or not config.get('api_secret'):
+        misperrors['error'] = "Your TruSTAR API key and secret are required for indicator enrichment."
+        return misperrors
+
+    enclave_ids = [enclave_id for enclave_id in config.get('enclave_ids', "").split(',')]
+    ts_client = TruStar(config={'user_api_key': config.get('api_key'), 'user_api_secret': config.get('api_secret'), 'enclave_ids': enclave_ids})
+    attribute = request.get('attribute')
+
+    summary = ts_client.get_indicator_summaries(attribute)
+
+    misp_event = parse_indicator_summary(attribute, summary)
+    return get_results(misp_event)
+
+def introspection():
+    return mispattributes
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
+