misp-modules/documentation/mkdocs/import_mod.md

11 KiB

PDNS COF Importer

Passive DNS Common Output Format (COF) MISP importer [source code]

  • features:

Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input.

  • input:

Passive DNS output in Common Output Format (COF)

  • output:

MISP objects

  • references:

https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html

  • requirements:

PyMISP


CSV Import

Module to import MISP attributes from a csv file. [source code]

  • features:

In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.

This header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').

If the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.

  • input:

CSV format file.

  • output:

MISP Event attributes

  • references:
  • requirements:

PyMISP


Cuckoo Sandbox Import

Module to import Cuckoo JSON. [source code]

  • features:

Import a Cuckoo archive (zipfile or bzip2 tarball), either downloaded manually or exported from the API (/tasks/report/<task_id>/all).

  • input:

Cuckoo JSON file

  • output:

MISP Event attributes

  • references:

Email Import

Email import module for MISP [source code]

  • features:

This module can be used to import e-mail text as well as attachments and urls. 3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.

  • config:
  • unzip_attachments
  • guess_zip_attachment_passwords
  • extract_urls
  • input:

E-mail file

  • output:

MISP Event attributes


GoAML Import

Module to import MISP objects about financial transactions from GoAML files. [source code]

  • features:

Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.

  • input:

GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).

  • output:

MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.

  • references:

http://goaml.unodc.org/

  • requirements:

PyMISP


Import Blueprint

Generic blueprint to be copy-pasted to quickly boostrap creation of import module. [source code]

  • features:

Joe Sandbox Import

A module to import data from a Joe Sandbox analysis json report. [source code]

  • features:

Module using the new format of modules able to return attributes and objects.

The module returns the same results as the expansion module joesandbox_query using the submission link of the analysis to get the json report.

  • input:

Json report of a Joe Sandbox analysis.

  • output:

MISP attributes & objects parsed from the analysis report.

  • references:

Lastline Import

Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.

Module to import and parse reports from Lastline analysis links. [source code]

  • features:

The module requires a Lastline Portal username and password. The module uses the new format and it is able to return MISP attributes and objects. The module returns the same results as the lastline_query expansion module.

  • config:
  • username
  • password
  • verify_ssl
  • input:

Link to a Lastline analysis.

  • output:

MISP attributes and objects parsed from the analysis report.

  • references:

https://www.lastline.com


MISP JSON Import

Module to import MISP JSON format for merging MISP events. [source code]

  • features:

The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.

  • input:

MISP Event

  • output:

MISP Event attributes


OCR Import

Optical Character Recognition (OCR) module for MISP. [source code]

  • features:

The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.

  • input:

Image

  • output:

freetext MISP attribute


OpenIOC Import

Module to import OpenIOC packages. [source code]

  • features:

The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.

  • input:

OpenIOC packages

  • output:

MISP Event attributes

  • references:

https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html

  • requirements:

PyMISP


TAXII 2.1 Import

Import content from a TAXII 2.1 server [source code]

  • features:
  • config:

stix_object_limit


ThreadAnalyzer Sandbox Import

Module to import ThreatAnalyzer archive.zip / analysis.json files. [source code]

  • features:

The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format. There is by the way no special feature for users to make the module work.

  • input:

ThreatAnalyzer format file

  • output:

MISP Event attributes

  • references:

https://www.threattrack.com/malware-analysis.aspx


URL Import

Simple URL import tool with Faup [source code]

  • features:

VMRay API Import

Module to import VMRay (VTI) results. [source code]

  • features:

The module imports MISP Attributes from VMRay format, using the VMRay api. Users should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.

  • config:
  • apikey
  • url
  • disable_tags
  • disable_misp_objects
  • ignore_analysis_finished
  • input:

VMRay format

  • output:

MISP Event attributes

  • references:

https://www.vmray.com/

  • requirements:

vmray_rest_api


VMRay Summary JSON Import

Import a VMRay Summary JSON report. [source code]

  • features:
  • config:

disable_tags