From a88f19942f75885b74678314c710925d1eafa29a Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Fri, 10 Jan 2020 16:19:00 +0100
Subject: [PATCH] new: Updated ipasn and added vt_graph documentation

---
 README.md                    | 37 ++++++++++++++++++------------------
 doc/README.md                | 24 +++++++++++++++++++++--
 doc/expansion/ipasn.json     |  4 ++--
 doc/export_mod/vt_graph.json |  9 +++++++++
 4 files changed, 52 insertions(+), 22 deletions(-)
 create mode 100644 doc/export_mod/vt_graph.json

diff --git a/README.md b/README.md
index d0296a8..af78ca5 100644
--- a/README.md
+++ b/README.md
@@ -89,27 +89,28 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 
 ### Export modules
 
-* [CEF](misp_modules/modules/export_mod/cef_export.py) module to export Common Event Format (CEF).
-* [Cisco FireSight Manager ACL rule](misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) module to export as rule for the Cisco FireSight manager ACL.
-* [GoAML export](misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html).
-* [Lite Export](misp_modules/modules/export_mod/liteexport.py) module to export a lite event.
-* [PDF export](misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF.
-* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query. 
-* [Nexthink query format](misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format.
-* [osquery](misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format.
-* [ThreatConnect](misp_modules/modules/export_mod/threat_connect_export.py) module to export in ThreatConnect CSV format.
-* [ThreatStream](misp_modules/modules/export_mod/threatStream_misp_export.py) module to export in ThreatStream format.
+* [CEF](misp_modules/modules/export_mod/cef_export.py) - module to export Common Event Format (CEF).
+* [Cisco FireSight Manager ACL rule](misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) - module to export as rule for the Cisco FireSight manager ACL.
+* [GoAML export](misp_modules/modules/export_mod/goamlexport.py) - module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html).
+* [Lite Export](misp_modules/modules/export_mod/liteexport.py) - module to export a lite event.
+* [PDF export](misp_modules/modules/export_mod/pdfexport.py) - module to export an event in PDF.
+* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) - module to export applicable attributes from an event to a mass EQL query.
+* [Nexthink query format](misp_modules/modules/export_mod/nexthinkexport.py) - module to export in Nexthink query format.
+* [osquery](misp_modules/modules/export_mod/osqueryexport.py) - module to export in [osquery](https://osquery.io/) query format.
+* [ThreatConnect](misp_modules/modules/export_mod/threat_connect_export.py) - module to export in ThreatConnect CSV format.
+* [ThreatStream](misp_modules/modules/export_mod/threatStream_misp_export.py) - module to export in ThreatStream format.
+* [VirusTotal Graph](misp_modules/modules/export_mod/vt_graph.py) - Module to create a VirusTotal graph out of an event.
 
 ### Import modules
 
-* [CSV import](misp_modules/modules/import_mod/csvimport.py) Customizable CSV import module.
-* [Cuckoo JSON](misp_modules/modules/import_mod/cuckooimport.py) Cuckoo JSON import.
-* [Email Import](misp_modules/modules/import_mod/email_import.py) Email import module for MISP to import basic metadata.
-* [GoAML import](misp_modules/modules/import_mod/goamlimport.py) Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
-* [Joe Sandbox import](misp_modules/modules/import_mod/joe_import.py) Parse data from a Joe Sandbox json report.
-* [Lastline import](misp_modules/modules/import_mod/lastline_import.py) Module to import Lastline analysis reports.
-* [OCR](misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
-* [OpenIOC](misp_modules/modules/import_mod/openiocimport.py) OpenIOC import based on PyMISP library.
+* [CSV import](misp_modules/modules/import_mod/csvimport.py) - Customizable CSV import module.
+* [Cuckoo JSON](misp_modules/modules/import_mod/cuckooimport.py) - Cuckoo JSON import.
+* [Email Import](misp_modules/modules/import_mod/email_import.py) - Email import module for MISP to import basic metadata.
+* [GoAML import](misp_modules/modules/import_mod/goamlimport.py) - Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
+* [Joe Sandbox import](misp_modules/modules/import_mod/joe_import.py) - Parse data from a Joe Sandbox json report.
+* [Lastline import](misp_modules/modules/import_mod/lastline_import.py) - Module to import Lastline analysis reports.
+* [OCR](misp_modules/modules/import_mod/ocr.py) - Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
+* [OpenIOC](misp_modules/modules/import_mod/openiocimport.py) - OpenIOC import based on PyMISP library.
 * [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
 * [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
 
diff --git a/doc/README.md b/doc/README.md
index 64df950..2049803 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -532,11 +532,11 @@ Module to access intelmqs eventdb.
 
 Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
 - **features**:
->This module takes an IP address attribute as input and queries the CIRCL IPASN service to get additional information about the input.
+>This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object.
 - **input**:
 >An IP address MISP attribute.
 - **output**:
->Text describing additional information about the input after a query on the IPASN-history database.
+>Asn object(s) objects related to the IP address used as input.
 - **references**:
 >https://github.com/D4-project/IPASN-History
 - **requirements**:
@@ -1586,6 +1586,26 @@ Module to export a structured CSV file for uploading to ThreatConnect.
 
 -----
 
+#### [vt_graph](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/vt_graph.py)
+
+<img src=logos/virustotal.png height=60>
+
+This module is used to create a VirusTotal Graph from a MISP event.
+- **features**:
+>The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.
+>
+>Once the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.
+- **input**:
+>A MISP event.
+- **output**:
+>Link of the VirusTotal Graph created for the event.
+- **references**:
+>https://www.virustotal.com/gui/graph-overview
+- **requirements**:
+>vt_graph_api, the python library to query the VirusTotal graph API
+
+-----
+
 ## Import Modules
 
 #### [csvimport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/csvimport.py)
diff --git a/doc/expansion/ipasn.json b/doc/expansion/ipasn.json
index 68b10d1..8caed92 100644
--- a/doc/expansion/ipasn.json
+++ b/doc/expansion/ipasn.json
@@ -2,7 +2,7 @@
     "description": "Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).",
     "requirements": ["pyipasnhistory: Python library to access IPASN-history instance"],
     "input": "An IP address MISP attribute.",
-    "output": "Text describing additional information about the input after a query on the IPASN-history database.",
+    "output": "Asn object(s) objects related to the IP address used as input.",
     "references": ["https://github.com/D4-project/IPASN-History"],
-    "features": "This module takes an IP address attribute as input and queries the CIRCL IPASN service to get additional information about the input."
+    "features": "This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object."
 }
diff --git a/doc/export_mod/vt_graph.json b/doc/export_mod/vt_graph.json
new file mode 100644
index 0000000..e317730
--- /dev/null
+++ b/doc/export_mod/vt_graph.json
@@ -0,0 +1,9 @@
+{
+    "description": "This module is used to create a VirusTotal Graph from a MISP event.",
+    "logo": "logos/virustotal.png",
+    "requirements": ["vt_graph_api, the python library to query the VirusTotal graph API"],
+    "features": "The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.\n\nOnce the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.",
+    "references": ["https://www.virustotal.com/gui/graph-overview"],
+    "input": "A MISP event.",
+    "output": "Link of the VirusTotal Graph created for the event."
+}