mirror of https://github.com/MISP/misp-modules
Modules for expansion services, import and export in MISP
http://misp.github.io/misp-modules
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
113 lines
2.9 KiB
113 lines
2.9 KiB
'''Export MISP event to VirusTotal Graph.''' |
|
|
|
|
|
import base64 |
|
import json |
|
from vt_graph_parser.importers.pymisp_response import from_pymisp_response |
|
|
|
|
|
misperrors = { |
|
'error': 'Error' |
|
} |
|
moduleinfo = { |
|
'version': '0.1', |
|
'author': 'VirusTotal', |
|
'description': 'Send event to VirusTotal Graph', |
|
'module-type': ['export'] |
|
} |
|
mispattributes = { |
|
'input': [ |
|
'hostname', |
|
'domain', |
|
'ip-src', |
|
'ip-dst', |
|
'md5', |
|
'sha1', |
|
'sha256', |
|
'url', |
|
'filename|md5', |
|
'filename' |
|
] |
|
} |
|
moduleconfig = [ |
|
'vt_api_key', |
|
'fetch_information', |
|
'private', |
|
'fetch_vt_enterprise', |
|
'expand_one_level', |
|
'user_editors', |
|
'user_viewers', |
|
'group_editors', |
|
'group_viewers' |
|
] |
|
|
|
|
|
def handler(q=False): |
|
"""Expansion handler. |
|
|
|
Args: |
|
q (bool, optional): module data. Defaults to False. |
|
|
|
Returns: |
|
[str]: VirusTotal graph links |
|
""" |
|
if not q: |
|
return False |
|
request = json.loads(q) |
|
|
|
if not request.get('config') or not request['config'].get('vt_api_key'): |
|
misperrors['error'] = 'A VirusTotal api key is required for this module.' |
|
return misperrors |
|
|
|
config = request['config'] |
|
|
|
api_key = config.get('vt_api_key') |
|
fetch_information = config.get('fetch_information') or False |
|
private = config.get('private') or False |
|
fetch_vt_enterprise = config.get('fetch_vt_enterprise') or False |
|
expand_one_level = config.get('expand_one_level') or False |
|
|
|
user_editors = config.get('user_editors') |
|
if user_editors: |
|
user_editors = user_editors.split(',') |
|
user_viewers = config.get('user_viewers') |
|
if user_viewers: |
|
user_viewers = user_viewers.split(',') |
|
group_editors = config.get('group_editors') |
|
if group_editors: |
|
group_editors = group_editors.split(',') |
|
group_viewers = config.get('group_viewers') |
|
if group_viewers: |
|
group_viewers = group_viewers.split(',') |
|
|
|
graphs = from_pymisp_response( |
|
request, api_key, fetch_information=fetch_information, |
|
private=private, fetch_vt_enterprise=fetch_vt_enterprise, |
|
user_editors=user_editors, user_viewers=user_viewers, |
|
group_editors=group_editors, group_viewers=group_viewers, |
|
expand_node_one_level=expand_one_level) |
|
links = [] |
|
|
|
for graph in graphs: |
|
graph.save_graph() |
|
links.append(graph.get_ui_link()) |
|
|
|
# This file will contains one VirusTotal graph link for each exported event |
|
file_data = str(base64.b64encode( |
|
bytes('\n'.join(links), 'utf-8')), 'utf-8') |
|
return {'response': [], 'data': file_data} |
|
|
|
|
|
def introspection(): |
|
modulesetup = { |
|
'responseType': 'application/txt', |
|
'outputFileExtension': 'txt', |
|
'userConfig': {}, |
|
'inputSource': [] |
|
} |
|
return modulesetup |
|
|
|
|
|
def version(): |
|
moduleinfo['config'] = moduleconfig |
|
return moduleinfo
|
|
|