From bd9316b3131c8567de619e0a937d3682865f1f2d Mon Sep 17 00:00:00 2001 From: Daniel Pascual Date: Mon, 13 May 2024 20:15:39 +0200 Subject: [PATCH] doc --- docs/index.md | 1 + docs/logos/google_threat_intelligence.png | Bin 0 -> 4748 bytes documentation/README.md | 44 ++++++++++++++++------ 3 files changed, 34 insertions(+), 11 deletions(-) create mode 100644 docs/logos/google_threat_intelligence.png diff --git a/docs/index.md b/docs/index.md index b3c588f9..817f9c49 100644 --- a/docs/index.md +++ b/docs/index.md @@ -38,6 +38,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/) * [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [GeoIP](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind. +* [Google Threat Intelligence] (https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) - An expansion module to have the observable's threat score assessed by Google Threat Intelligence. * [Greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. * [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset. * [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned? diff --git a/docs/logos/google_threat_intelligence.png b/docs/logos/google_threat_intelligence.png new file mode 100644 index 0000000000000000000000000000000000000000..d0aa76df55c37557113b9f2a6a4b3dd4a5bc34cf GIT binary patch literal 4748 zcmb_g_dgVlA3l+ikc1HOk-cZuk?qL%SmmrFoxR6dXJn)}89AGb$QjuudvsPuP7WDI z=d8=hcARgY|Ka<*UhnzC^Ll=Iet441O!OIUaNYm_01O}l9diJH>e1ib>^kk=?kZCq z|98;&8rTE?0Q4;X6%`;i|L)%>Re-s^7NB{fm(w{qB1psdIfpj!2 zp;TK1rk?kvBL|~=E{FU-uz3^*|H{x8HY!7wMm`tU-)NAf!>>z9a{PZHPAm02yzD-En1nzY{kmIvyf6%`TCy4mt`(VXM1~;j5%N2o}0~? zwMlC_T_aQJsqRxQ^YG-(<8W(4c+jnz7~y7>{q==glm^(}|)>E%d`0IzjiXzIn7 z#P&n-%Ttf6ubOwCT3l>gBf9)2q9>acMMhisM0Mknu8m-6T-w@m-u*F~lT-XPLMiU> zQqTmNA;vE-6h`hVU=RHH=jBy}fO@{w`ZlGlmf5J^Sh~R6W!)@^!@hLqD`ydybLjFboQIUgN!h{< zJ6m-W&i_QW@%RaN)2G1pXWikO^0(+=@H=ED%&kA+-!h-Kl)=nSQRt&6!69- zzupZvW^QwCQww%m&mpndI5C>1m4Ek|#x(h4l(e)%&hrA#UXLN+G#5ET_yd=P1Bq__ zUYpsLA?-@4k!6Tfpv+I+%UxKp3|J>tuU_%i7T176@AvB^Q?$G=cveRm)xhwB9wBjz(@BG%7AWlLfo#_*yghA-2zJRF8ydS{VbF zPUUa8N9&CubBQAOV8_#4f*@XPj$}n|7_WuIizR?#f&UQPW8I6X?agBDDpg%*MvYzX z-Cb(5VZ=*vkUsm>9fS$+qr!r4w^NE&I4YmV3G#M$TfnRf!nePH!H)>j(i#l8vCLI= z30(5Bv^1+pj;6CY72gIfbZzj~Vs1$+e-C6cD!pW_~+RM9vS`q+pM_%PmuD)(p` zI-iY4Fp^k&sB=1$#E(I`zh)G>-I{OD7B#?lQsmEr!R_cX>3WL!SndjD*StycxOczF zN~-|H)R#&p?4Ed-&HOwkeSc>Jno{9Kx?^V8K4xZ}T5=|YQ{dC!i8}t8cOi%_pL!B0OfYyeful)L1g~awMMw#C#l3W=+VWBUz5TIDh-=lpQL(cRN9$x z6dPn--L^xvx+!$=vtAm?X}~ph6u#%2&FB&T8y9Z2J+LtEJNZ3>>xhRNFgxSD5vbx8 zx+`l3X;g7mTg+bcEnL8m!0GKLvlnIZ(93|23_dJfB7PnmPAZDYnZP95dL;?JI>CXx z2gyZg4*L31X?ZU@mT54)>eG&Z}#RT_nESM`Xo=~LmVQZ)T zoM6J%#bu7mTYb*YRVVocJ7#AM?4 zkhu$i3Q4uJGrH3$;Y|Y6VV+0)0kVEKIC*dsLeB25LyzFfR{R1})6r>D>*}^=$j?rp zrr*Crb_Kqdt8kQnRjB-+L>%#Qr=4DY6?6K~zYi<9x;-4T)@dE;y)LMgmLiBt@h{QO zrJFRMYvgOx{Yg|^7FVDQ;GQvl~} z?yc+YKxHIZK3sKLwlC1LON7$C7g5l{A?6Vq1r)&OrAL944=XVt7V`nTZWEIVJx#%% zDN|~vs*$-_g}ikc>e008s}(GQVj?7OEpQ0IyB<2q5xS8{sS{esXpN8nh86urIhu&% zapQwvjK_e>Ln(^PL4qmM{zqi^zN#k3ulMPdD4k2(MdLPP)3mRt%l^E;k9@UrKZ+}`YuED4 z!Exa0lT5FRW}HVzmW|&r^U0#T$)kyHEFXtc#K^R@;Bi`ni_jvRZV-%V$?SCxV&I&X zrw-XMm$%`OMhM&Trw}CL(Kmq+K3H47%^srn3{39VOf!xA%wKzj0zEVL$*o`4+hM88;kMkf+4TrEe3s^Lnnn*+7?*imuYRP zll7^GN`8ulapni?c*(1sPaNM_N`>R8-j7CIt|2hT!>RFkum|g}AzO`5RWJrM)243JB!tF`{F6fU9f@@{E$ z*hklNHnsGry-qtPxt|Nm=H-8O@tV$jenA4RHsj}SGm#MWdiLkgUw`dd zpQrKR`Z~?!ziAbYTdH!S&|w{yBKl-9kvn`Vf5SzFq{J(#$l)|o=f$fqh-q6GTlxybvf#EyXNCS|wCU9ZYC7D(94({#6^HzP}_*0|p?BQsL zv-LJEih?6+LhCZWy{N*t#f1nK`TjDKQ$WM-EV>7NxHa~sSby+N-Hp(c&m?x1`O@eWeE2tX50YXbVK?&%;&*r@W8kN;p zgYA_|TnSxKTSGZ)3&3E%Pf^$`yoU;522K+4LO*$T|GfGVbQ_k;4N*7?gJ$w~b8Wwp zJ5nofvYSlY@7()w^qrtz`twiTspQ6qOm^=gY*OXC#qP#ct(|xWi(#XWnTx2i#XP4n z)5Y@*mr`8KC(u^K=r(U-x9%|KV%)_^&E@s|8Lop!6430cL@w3rjHjweQ2niX=>uZb z@L7>m$Oh?#>G2G;ZIgA-i?4?|m0$GrbKw9tmF@iLgcY}IuYjD-_M5a?jZ4Q?WP=_^ zBHqUzC}L{2+ryI-Yor+}#JRBQ3M%L!qp6Q+FEwI5QJac$1Kk8_%Q`&W!d?5J2bd+3 zu07cqzfgT4TSMT+IF64ldo}Ys!jMfp`1gYGZsQd}wK>CU&R&M6GhP-gZPoshA1l2k zN6-YM3u}=XpoJurL;S!hzRBnj(_yDzv|yGZpPLJj@5Fq#C7)Z&9LS#1V=JAtoQFpF zo%YdRye;8lJYB&Q$ zRc2!1X*3g8IGd-kV*Ly#iJVNDUG3R^R$=fx(MxI%C9#?LIcT{WAewG!6-SzmE!CX$ zXWB>X5eu!5$}Dmo3N4Nrz+{1jl~zd?H{~}vQ#WoH@*o)eidbUoQV!o=c$lVc0Lq#Y zF_0X+tz}W_4v8#9_*0V~4lOZr$aH5oQ{z>d07LVS~nDV8yGWzsW(Xc(Ox^ z?2^mQdH3Z~Eo+wKH2%UpC_8aDl`*d?wm! zsym1SfuVpYzEXRyu;yfGZaMuH7r_~R#NOkAYi-7YMAnnyA%SBjo5L||DC?=Pv<+lZq zbM>0~QhRF&zEKz!|VwfY`U5$aHEAMjtp$TPk z7(Gc~j@H(1QgiraZ4vu9KIl}sdTfySJ&|LZj?E}Yv~osThe module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. +>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. >The list of vulnerabilities is then parsed and returned as vulnerability objects. > >Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used. @@ -640,6 +640,7 @@ Module to query a local copy of Maxmind's Geolite database. #### [google_search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py) + - **descrption**: >A hover module to get information about an url using a Google search. - **features**: @@ -655,6 +656,27 @@ Module to query a local copy of Maxmind's Geolite database. ----- +#### [google_threat_intelligence](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_threat_intelligence.py) + + + +- **description**: +An expansion module to have the observable's threat score assessed by Google Threat Intelligence. +- **features**: +>The module gives the Google Threat Intelligence assessment including a verdict for the given obsevable. [Example screeshot](https://github.com/MISP/MISP/assets/4747608/e275db2f-bb1e-4413-8cc0-ec3cb05e0414) +] +- **input**: +>'hostname', 'domain', 'ip-src', 'ip-dst', 'md5', 'sha1', 'sha256', 'url'. +- **output**: +>Text fields containing the threat score, the severity, the verdict and the threat label of the observable inspected. +- **references**: +>https://gtidocs.virustotal.com/reference +- **requirements**: +>- pymisp +>- vt + +----- + #### [greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) @@ -745,7 +767,7 @@ Expansion module to fetch the html content from an url and convert it into markd HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure. - **features**: >This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API. -> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. +> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. > >An API key is required to submit queries to the HYAS Insight API. > @@ -819,9 +841,9 @@ Module to access intelmqs eventdb. An expansion module to query IP2Location.io to gather more information on a given IP address. - **features**: ->The module takes an IP address attribute as input and queries the IP2Location.io API. ->Free plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address. -> Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan. +>The module takes an IP address attribute as input and queries the IP2Location.io API. +>Free plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address. +> Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan. > >More information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation). - **input**: @@ -857,7 +879,7 @@ Module to query an IP ASN history service (https://github.com/D4-project/IPASN-H An expansion module to query ipinfo.io to gather more information on a given IP address. - **features**: ->The module takes an IP address attribute as input and queries the ipinfo.io API. +>The module takes an IP address attribute as input and queries the ipinfo.io API. >The geolocation information on the IP address is always returned. > >Depending on the subscription plan, the API returns different pieces of information then: @@ -883,7 +905,7 @@ An expansion module to query ipinfo.io to gather more information on a given IP IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner. - **features**: >This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API. -> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. +> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. > The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore. - **input**: >A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone). @@ -1222,7 +1244,7 @@ Module to get information from AlienVault OTX. An expansion module to query the CIRCL Passive SSH. - **features**: >The module queries the Passive SSH service from CIRCL. -> +> > The module can be used an hover module but also an expansion model to add related MISP objects. > - **input**: @@ -1945,7 +1967,7 @@ Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd). An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information. -Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security. +Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security. Explore our website's product section at https://whoisfreaks.com/ for a wide range of additional services catering to threat intelligence and attack surface analysis needs. - **features**: >The module takes a domain as input and queries the Whoisfreaks API with it. @@ -2084,7 +2106,7 @@ Module to process a query on Yeti. > - https://github.com/sebdraven/pyeti - **requirements**: > - pyeti -> - API key +> - API key ----- @@ -2241,7 +2263,7 @@ Simple export of a MISP event to PDF. > 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies. > 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event ! > 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation. -> 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option +> 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option - **input**: >MISP Event - **output**: