misp-modules/docs/index.md

Home

MISP modules are autonomous modules that can be used for expansion and other services in MISP.

The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

MISP modules support is included in MISP starting from version 2.4.28.

For more information: Extending MISP with Python modules slides from MISP training.

Existing MISP modules

Expansion modules

• Backscatter.io - a hover and expansion module to expand an IP address with mass-scanning observations.
• BGP Ranking - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
• BTC scam check - An expansion hover module to instantly check if a BTC address has been abused.
• BTC transactions - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
• CIRCL Passive DNS - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
• CIRCL Passive SSL - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
• countrycode - a hover module to tell you what country a URL belongs to.
• CrowdStrike Falcon - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
• CVE - a hover module to give more information about a vulnerability (CVE).
• CVE advanced - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
• Cuckoo submit - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
• DBL Spamhaus - a hover module to check Spamhaus DBL for a domain name.
• DNS - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
• docx-enrich - an enrichment module to get text out of Word document into MISP (using free-text parser).
• DomainTools - a hover and expansion module to get information from DomainTools whois.
• EUPI - a hover and expansion module to get information about an URL from the Phishing Initiative project.
• EQL - an expansion module to generate event query language (EQL) from an attribute. Event Query Language
• Farsight DNSDB Passive DNS - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
• GeoIP - a hover and expansion module to get GeoIP information from geolite/maxmind.
• Greynoise - a hover to get information from greynoise.
• hashdd - a hover module to check file hashes against hashdd.com including NSLR dataset.
• hibp - a hover module to lookup against Have I Been Pwned?
• intel471 - an expansion module to get info from Intel471.
• IPASN - a hover and expansion to get the BGP ASN of an IP address.
• iprep - an expansion module to get IP reputation from packetmail.net.
• Joe Sandbox submit - Submit files and URLs to Joe Sandbox.
• Joe Sandbox query - Query Joe Sandbox with the link of an analysis and get the parsed data.
• macaddress.io - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from MAC address Vendor Lookup. See integration tutorial here.
• macvendors - a hover module to retrieve mac vendor information.
• ocr-enrich - an enrichment module to get OCRized data from images into MISP.
• ods-enrich - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
• odt-enrich - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).
• onyphe - a modules to process queries on Onyphe.
• onyphe_full - a modules to process full queries on Onyphe.
• OTX - an expansion module for OTX.
• passivetotal - a passivetotal module that queries a number of different PassiveTotal datasets.
• pdf-enrich - an enrichment module to extract text from PDF into MISP (using free-text parser).
• pptx-enrich - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).
• qrcode - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.
• rbl - a module to get RBL (Real-Time Blackhost List) values from an attribute.
• reversedns - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
• securitytrails - an expansion module for securitytrails.
• shodan - a minimal shodan expansion module.
• Sigma queries - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
• Sigma syntax validator - Sigma syntax validator.
• sourcecache - a module to cache a specific link from a MISP instance.
• STIX2 pattern syntax validator - a module to check a STIX2 pattern syntax.
• ThreatCrowd - an expansion module for ThreatCrowd.
• threatminer - an expansion module to expand from ThreatMiner.
• urlhaus - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
• urlscan - an expansion module to query urlscan.io.
• virustotal - an expansion module to query the VirusTotal API with a high request rate limit required. (More details about the API: here)
• virustotal_public - an expansion module to query the VirusTotal API with a public key and a low request rate limit. (More details about the API: here)
• VMray - a module to submit a sample to VMray.
• VulnDB - a module to query VulnDB.
• Vulners - an expansion module to expand information about CVEs using Vulners API.
• whois - a module to query a local instance of uwhois.
• wikidata - a wikidata expansion module.
• xforce - an IBM X-Force Exchange expansion module.
• xlsx-enrich - an enrichment module to get text out of an Excel document into MISP (using free-text parser).
• YARA query - a module to create YARA rules from single hash attributes.
• YARA syntax validator - YARA syntax validator.

Export modules

• CEF module to export Common Event Format (CEF).
• Cisco FireSight Manager ACL rule module to export as rule for the Cisco FireSight manager ACL.
• GoAML export module to export in GoAML format.
• Lite Export module to export a lite event.
• Mass EQL Export module to export applicable attributes from an event to a mass EQL query.
• PDF export module to export an event in PDF.
• Nexthink query format module to export in Nexthink query format.
• osquery module to export in osquery query format.
• ThreatConnect module to export in ThreatConnect CSV format.
• ThreatStream module to export in ThreatStream format.

Import modules

• CSV import Customizable CSV import module.
• Cuckoo JSON Cuckoo JSON import.
• Email Import Email import module for MISP to import basic metadata.
• GoAML import Module to import GoAML XML format.
• Joe Sandbox import Parse data from a Joe Sandbox json report.
• OCR Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
• OpenIOC OpenIOC import based on PyMISP library.
• ThreatAnalyzer - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
• VMRay - An import module to process VMRay export.

How to contribute your own module?

Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation. For further information please see Contribute.

Licenses

For further Information see also the license file.