diff --git a/REQUIREMENTS b/REQUIREMENTS index e749db9..73b002a 100644 --- a/REQUIREMENTS +++ b/REQUIREMENTS @@ -95,6 +95,7 @@ sparqlwrapper==1.8.5 stix2-patterns==1.3.0 tabulate==0.8.7 tornado==6.0.4 +trustar==0.3.28 url-normalize==1.4.1 urlarchiver==0.2 urllib3==1.25.8 diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index 82264fa..c05804b 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,6 +1,7 @@ from . import _vmray # noqa import os import sys + sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3]))) __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl', @@ -16,4 +17,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c 'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus', 'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid', 'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', - 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich'] + 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich', + 'trustar_enrich'] diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py new file mode 100644 index 0000000..e786ff3 --- /dev/null +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -0,0 +1,63 @@ +import json +from pymisp import MISPAttribute, MISPEvent, MISPObject +from trustar import TruStar + +misperrors = {'error': "Error"} +mispattributes = {'input': ["btc", "domain","email-src", "filename", "hostname", "ip-src", "ip-dst", "malware-type", "md5", "sha1", "sha256", "url"], 'format': 'misp_standard'} + +moduleinfo = {'version': "0.1", 'author': "Jesse Hedden", + 'description': "Enrich data with TruSTAR", + 'module-type': ["hover", "expansion"]} + +moduleconfig = ["api_key", "api_secret", "enclave_ids"] + + +def get_results(misp_event): + event = json.loads(misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} + +def parse_indicator_summary(attribute, summary): + misp_event = MISPEvent() + misp_attribute = MISPAttribute().from_dict(**attribute) + misp_event.add_attribute(**misp_attribute) + + mapping = {'value': 'text', 'reportId': 'text', 'enclaveId': 'text', 'description': 'text'} + + for item in summary.get('items'): + trustar_obj = MISPObject(attribute.value) + for key, attribute_type in mapping.items(): + trustar_obj.add_attribute(key, attribute_type=attribute_type, value=item[key]) + trustar_obj.add_reference(misp_attribute.uuid, 'associated-to') + misp_event.add_object(**trustar_obj) + + return misp_event + + +def handler(q=False): + + if q is False: + return False + + request = json.loads(q) + config = request.get('config', {}) + if not config.get('api_key') or not config.get('api_secret'): + misperrors['error'] = "Your TruSTAR API key and secret are required for indicator enrichment." + return misperrors + + enclave_ids = [enclave_id for enclave_id in config.get('enclave_ids', "").split(',')] + ts_client = TruStar(config={'user_api_key': config.get('api_key'), 'user_api_secret': config.get('api_secret'), 'enclave_ids': enclave_ids}) + attribute = request.get('attribute') + + summary = ts_client.get_indicator_summaries(attribute) + + misp_event = parse_indicator_summary(attribute, summary) + return get_results(misp_event) + +def introspection(): + return mispattributes + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo + diff --git a/misp_modules/modules/import_mod/trustar_import.py b/misp_modules/modules/import_mod/trustar_import.py new file mode 100644 index 0000000..e69de29