17 KiB
Home
MISP modules are autonomous modules that can be used for expansion and other services in MISP.
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.
MISP modules support is included in MISP starting from version 2.4.28
.
For more information: Extending MISP with Python modules slides from MISP training.
Existing MISP modules
Expansion modules
- Backscatter.io - a hover and expansion module to expand an IP address with mass-scanning observations.
- BGP Ranking - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
- BTC scam check - An expansion hover module to instantly check if a BTC address has been abused.
- BTC transactions - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
- CIRCL Passive DNS - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
- CIRCL Passive SSL - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
- countrycode - a hover module to tell you what country a URL belongs to.
- CrowdStrike Falcon - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
- CVE - a hover module to give more information about a vulnerability (CVE).
- CVE advanced - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
- Cuckoo submit - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
- DBL Spamhaus - a hover module to check Spamhaus DBL for a domain name.
- DNS - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
- docx-enrich - an enrichment module to get text out of Word document into MISP (using free-text parser).
- DomainTools - a hover and expansion module to get information from DomainTools whois.
- EUPI - a hover and expansion module to get information about an URL from the Phishing Initiative project.
- EQL - an expansion module to generate event query language (EQL) from an attribute. Event Query Language
- Farsight DNSDB Passive DNS - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
- GeoIP - a hover and expansion module to get GeoIP information from geolite/maxmind.
- Greynoise - a hover to get information from greynoise.
- hashdd - a hover module to check file hashes against hashdd.com including NSLR dataset.
- hibp - a hover module to lookup against Have I Been Pwned?
- intel471 - an expansion module to get info from Intel471.
- IPASN - a hover and expansion to get the BGP ASN of an IP address.
- iprep - an expansion module to get IP reputation from packetmail.net.
- Joe Sandbox submit - Submit files and URLs to Joe Sandbox.
- Joe Sandbox query - Query Joe Sandbox with the link of an analysis and get the parsed data.
- macaddress.io - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from MAC address Vendor Lookup. See integration tutorial here.
- macvendors - a hover module to retrieve mac vendor information.
- ocr-enrich - an enrichment module to get OCRized data from images into MISP.
- ods-enrich - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
- odt-enrich - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).
- onyphe - a modules to process queries on Onyphe.
- onyphe_full - a modules to process full queries on Onyphe.
- OTX - an expansion module for OTX.
- passivetotal - a passivetotal module that queries a number of different PassiveTotal datasets.
- pdf-enrich - an enrichment module to extract text from PDF into MISP (using free-text parser).
- pptx-enrich - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).
- qrcode - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.
- rbl - a module to get RBL (Real-Time Blackhost List) values from an attribute.
- reversedns - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
- securitytrails - an expansion module for securitytrails.
- shodan - a minimal shodan expansion module.
- Sigma queries - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
- Sigma syntax validator - Sigma syntax validator.
- sourcecache - a module to cache a specific link from a MISP instance.
- STIX2 pattern syntax validator - a module to check a STIX2 pattern syntax.
- ThreatCrowd - an expansion module for ThreatCrowd.
- threatminer - an expansion module to expand from ThreatMiner.
- urlhaus - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
- urlscan - an expansion module to query urlscan.io.
- virustotal - an expansion module to query the VirusTotal API with a high request rate limit required. (More details about the API: here)
- virustotal_public - an expansion module to query the VirusTotal API with a public key and a low request rate limit. (More details about the API: here)
- VMray - a module to submit a sample to VMray.
- VulnDB - a module to query VulnDB.
- Vulners - an expansion module to expand information about CVEs using Vulners API.
- Vysion - an expansion module to add dark web intelligence using Vysion API.
- whois - a module to query a local instance of uwhois.
- wikidata - a wikidata expansion module.
- xforce - an IBM X-Force Exchange expansion module.
- xlsx-enrich - an enrichment module to get text out of an Excel document into MISP (using free-text parser).
- YARA query - a module to create YARA rules from single hash attributes.
- YARA syntax validator - YARA syntax validator.
Export modules
- CEF module to export Common Event Format (CEF).
- Cisco FireSight Manager ACL rule module to export as rule for the Cisco FireSight manager ACL.
- GoAML export module to export in GoAML format.
- Lite Export module to export a lite event.
- Mass EQL Export module to export applicable attributes from an event to a mass EQL query.
- PDF export module to export an event in PDF.
- Nexthink query format module to export in Nexthink query format.
- osquery module to export in osquery query format.
- ThreatConnect module to export in ThreatConnect CSV format.
- ThreatStream module to export in ThreatStream format.
Import modules
- CSV import Customizable CSV import module.
- Cuckoo JSON Cuckoo JSON import.
- Email Import Email import module for MISP to import basic metadata.
- GoAML import Module to import GoAML XML format.
- Joe Sandbox import Parse data from a Joe Sandbox json report.
- OCR Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
- OpenIOC OpenIOC import based on PyMISP library.
- ThreatAnalyzer - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
- VMRay - An import module to process VMRay export.
How to contribute your own module?
Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation. For further information please see Contribute.
Licenses
For further Information see also the license file.