Browse Source

add: Added documentation for the AssemblyLine query module

pull/352/head
chrisr3d 2 years ago
parent
commit
bf1ba161af
No known key found for this signature in database GPG Key ID: 6BBED1B63A6D639F
  1. 1
      README.md
  2. 24
      doc/README.md
  3. 9
      doc/expansion/assemblyline_query.json
  4. 2
      doc/expansion/assemblyline_submit.json

1
README.md

@ -19,6 +19,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
* [apiosintDS](misp_modules/modules/expansion/apiosintds.py) - a hover and expansion module to query the OSINT.digitalside.it API.
* [AssemblyLine submit](misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine.
* [AssemblyLine query](misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report.
* [Backscatter.io](misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations.
* [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
* [BTC scam check](misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused.

24
doc/README.md

@ -22,13 +22,35 @@ On demand query API for OSINT.digitalside.it project.
-----
#### [assemblyline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/assemblyline_query.py)
<img src=logos/assemblyline.png height=60>
A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.
- **features**:
>The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.
>
>The submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.
>
>Some more data may be parsed in the future.
- **input**:
>Link of an AssemblyLine submission report.
- **output**:
>MISP attributes & objects parsed from the AssemblyLine submission.
- **references**:
>https://www.cyber.cg.ca/en/assemblyline
- **requirements**:
>assemblyline_client: Python library to query the AssemblyLine rest API.
-----
#### [assemblyline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/assemblyline_submit.py)
<img src=logos/assemblyline.png height=60>
A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.
- **features**:
>The module requires the address of the AssemblyLine server you want to query as well as your credentials in this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.
>The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.
>
>If the sample or url is correctly submitted, you get then the link of the submission.
- **input**:

9
doc/expansion/assemblyline_query.json

@ -0,0 +1,9 @@
{
"description": "A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.",
"logo": "logos/assemblyline.png",
"requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."],
"input": "Link of an AssemblyLine submission report.",
"output": "MISP attributes & objects parsed from the AssemblyLine submission.",
"references": ["https://www.cyber.cg.ca/en/assemblyline"],
"features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.\n\nThe submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.\n\nSome more data may be parsed in the future."
}

2
doc/expansion/assemblyline_submit.json

@ -5,5 +5,5 @@
"input": "Sample, or url to submit to AssemblyLine.",
"output": "Link of the report generated in AssemblyLine.",
"references": ["https://www.cyber.gc.ca/en/assemblyline"],
"features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials in this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission."
"features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission."
}

Loading…
Cancel
Save