MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-modules/import_mod/index.html

1363 lines
38 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="MISP Modules Project">
<meta name="author" content="MISP Project">
<link rel="canonical" href="https://www.misp-project.org/import_mod/">
<link rel="prev" href="../export_mod/">
<link rel="next" href="../install/">
<link rel="icon" href="../img/favicon.ico">
<meta name="generator" content="mkdocs-1.6.0, mkdocs-material-9.5.31">
<title>Import Modules - MISP Modules Documentation</title>
<link rel="stylesheet" href="../assets/stylesheets/main.3cba04c6.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.06af60db.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#pdns-cof-importer" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="MISP Modules Documentation" class="md-header__button md-logo" aria-label="MISP Modules Documentation" data-md-component="logo">
<img src="../img/misp.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
MISP Modules Documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Import Modules
</span>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/MISP/misp-modules/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
MISP/misp-modules
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="MISP Modules Documentation" class="md-nav__button md-logo" aria-label="MISP Modules Documentation" data-md-component="logo">
<img src="../img/misp.png" alt="logo">
</a>
MISP Modules Documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/MISP/misp-modules/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
MISP/misp-modules
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Modules
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Modules
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../action_mod/" class="md-nav__link">
<span class="md-ellipsis">
Action Modules
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../expansion/" class="md-nav__link">
<span class="md-ellipsis">
Expansion Modules
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../export_mod/" class="md-nav__link">
<span class="md-ellipsis">
Export Modules
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Import Modules
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Import Modules
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#pdns-cof-importer" class="md-nav__link">
<span class="md-ellipsis">
PDNS COF Importer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#csv-import" class="md-nav__link">
<span class="md-ellipsis">
CSV Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cuckoo-sandbox-import" class="md-nav__link">
<span class="md-ellipsis">
Cuckoo Sandbox Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#email-import" class="md-nav__link">
<span class="md-ellipsis">
Email Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#goaml-import" class="md-nav__link">
<span class="md-ellipsis">
GoAML Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#import-blueprint" class="md-nav__link">
<span class="md-ellipsis">
Import Blueprint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#joe-sandbox-import" class="md-nav__link">
<span class="md-ellipsis">
Joe Sandbox Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#lastline-import" class="md-nav__link">
<span class="md-ellipsis">
Lastline Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#misp-json-import" class="md-nav__link">
<span class="md-ellipsis">
MISP JSON Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ocr-import" class="md-nav__link">
<span class="md-ellipsis">
OCR Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#openioc-import" class="md-nav__link">
<span class="md-ellipsis">
OpenIOC Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#taxii-21-import" class="md-nav__link">
<span class="md-ellipsis">
TAXII 2.1 Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#threadanalyzer-sandbox-import" class="md-nav__link">
<span class="md-ellipsis">
ThreadAnalyzer Sandbox Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#url-import" class="md-nav__link">
<span class="md-ellipsis">
URL Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#vmray-api-import" class="md-nav__link">
<span class="md-ellipsis">
VMRay API Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#vmray-summary-json-import" class="md-nav__link">
<span class="md-ellipsis">
VMRay Summary JSON Import
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../install/" class="md-nav__link">
<span class="md-ellipsis">
Install Guides
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../contribute/" class="md-nav__link">
<span class="md-ellipsis">
Contribute
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
About
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
About
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../license/" class="md-nav__link">
<span class="md-ellipsis">
License
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#pdns-cof-importer" class="md-nav__link">
<span class="md-ellipsis">
PDNS COF Importer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#csv-import" class="md-nav__link">
<span class="md-ellipsis">
CSV Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cuckoo-sandbox-import" class="md-nav__link">
<span class="md-ellipsis">
Cuckoo Sandbox Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#email-import" class="md-nav__link">
<span class="md-ellipsis">
Email Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#goaml-import" class="md-nav__link">
<span class="md-ellipsis">
GoAML Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#import-blueprint" class="md-nav__link">
<span class="md-ellipsis">
Import Blueprint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#joe-sandbox-import" class="md-nav__link">
<span class="md-ellipsis">
Joe Sandbox Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#lastline-import" class="md-nav__link">
<span class="md-ellipsis">
Lastline Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#misp-json-import" class="md-nav__link">
<span class="md-ellipsis">
MISP JSON Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ocr-import" class="md-nav__link">
<span class="md-ellipsis">
OCR Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#openioc-import" class="md-nav__link">
<span class="md-ellipsis">
OpenIOC Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#taxii-21-import" class="md-nav__link">
<span class="md-ellipsis">
TAXII 2.1 Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#threadanalyzer-sandbox-import" class="md-nav__link">
<span class="md-ellipsis">
ThreadAnalyzer Sandbox Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#url-import" class="md-nav__link">
<span class="md-ellipsis">
URL Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#vmray-api-import" class="md-nav__link">
<span class="md-ellipsis">
VMRay API Import
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#vmray-summary-json-import" class="md-nav__link">
<span class="md-ellipsis">
VMRay Summary JSON Import
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Import Modules</h1>
<h4 id="pdns-cof-importer"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py">PDNS COF Importer</a><a class="headerlink" href="#pdns-cof-importer" title="Permanent link">&para;</a></h4>
<p>Passive DNS Common Output Format (COF) MISP importer
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>Passive DNS output in Common Output Format (COF)</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP objects</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<p><a href="https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html">https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html</a></p>
</blockquote>
</li>
<li>
<p><strong>requirements</strong>:</p>
<blockquote>
<p>PyMISP</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="csv-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py">CSV Import</a><a class="headerlink" href="#csv-import" title="Permanent link">&para;</a></h4>
<p>Module to import MISP attributes from a csv file.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.</p>
<p>This header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').</p>
<p>If the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>CSV format file.</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<ul>
<li><a href="https://tools.ietf.org/html/rfc4180">https://tools.ietf.org/html/rfc4180</a></li>
<li><a href="https://tools.ietf.org/html/rfc7111">https://tools.ietf.org/html/rfc7111</a></li>
</ul>
</blockquote>
</li>
<li>
<p><strong>requirements</strong>:</p>
<blockquote>
<p>PyMISP</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="cuckoo-sandbox-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py">Cuckoo Sandbox Import</a><a class="headerlink" href="#cuckoo-sandbox-import" title="Permanent link">&para;</a></h4>
<p><img src=../logos/cuckoo.png height=60></p>
<p>Module to import Cuckoo JSON.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>Import a Cuckoo archive (zipfile or bzip2 tarball), either downloaded manually or exported from the API (/tasks/report/<task_id>/all).</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>Cuckoo JSON file</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<ul>
<li><a href="https://cuckoosandbox.org/">https://cuckoosandbox.org/</a></li>
<li><a href="https://github.com/cuckoosandbox/cuckoo">https://github.com/cuckoosandbox/cuckoo</a></li>
</ul>
</blockquote>
</li>
</ul>
<hr />
<h4 id="email-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py">Email Import</a><a class="headerlink" href="#email-import" title="Permanent link">&para;</a></h4>
<p>Email import module for MISP
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>This module can be used to import e-mail text as well as attachments and urls.
3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.</p>
</blockquote>
</li>
<li>
<p><strong>config</strong>:</p>
<blockquote>
<ul>
<li>unzip_attachments</li>
<li>guess_zip_attachment_passwords</li>
<li>extract_urls</li>
</ul>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>E-mail file</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="goaml-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py">GoAML Import</a><a class="headerlink" href="#goaml-import" title="Permanent link">&para;</a></h4>
<p><img src=../logos/goAML.jpg height=60></p>
<p>Module to import MISP objects about financial transactions from GoAML files.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<p><a href="http://goaml.unodc.org/">http://goaml.unodc.org/</a></p>
</blockquote>
</li>
<li>
<p><strong>requirements</strong>:</p>
<blockquote>
<p>PyMISP</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="import-blueprint"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py">Import Blueprint</a><a class="headerlink" href="#import-blueprint" title="Permanent link">&para;</a></h4>
<p>Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/import_blueprint.py">source code</a>]</p>
<ul>
<li><strong>features</strong>:<blockquote></blockquote>
</li>
</ul>
<hr />
<h4 id="joe-sandbox-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py">Joe Sandbox Import</a><a class="headerlink" href="#joe-sandbox-import" title="Permanent link">&para;</a></h4>
<p><img src=../logos/joesandbox.png height=60></p>
<p>A module to import data from a Joe Sandbox analysis json report.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>Module using the new format of modules able to return attributes and objects.</p>
<p>The module returns the same results as the expansion module <a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py">joesandbox_query</a> using the submission link of the analysis to get the json report.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>Json report of a Joe Sandbox analysis.</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP attributes &amp; objects parsed from the analysis report.</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<ul>
<li><a href="https://www.joesecurity.org">https://www.joesecurity.org</a></li>
<li><a href="https://www.joesandbox.com/">https://www.joesandbox.com/</a></li>
</ul>
</blockquote>
</li>
</ul>
<hr />
<h4 id="lastline-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py">Lastline Import</a><a class="headerlink" href="#lastline-import" title="Permanent link">&para;</a></h4>
<p><img src=../logos/lastline.png height=60></p>
<p>Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.</p>
<p>Module to import and parse reports from Lastline analysis links.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>The module requires a Lastline Portal <code>username</code> and <code>password</code>.
The module uses the new format and it is able to return MISP attributes and objects.
The module returns the same results as the <a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py">lastline_query</a> expansion module.</p>
</blockquote>
</li>
<li>
<p><strong>config</strong>:</p>
<blockquote>
<ul>
<li>username</li>
<li>password</li>
<li>verify_ssl</li>
</ul>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>Link to a Lastline analysis.</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP attributes and objects parsed from the analysis report.</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<p><a href="https://www.lastline.com">https://www.lastline.com</a></p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="misp-json-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py">MISP JSON Import</a><a class="headerlink" href="#misp-json-import" title="Permanent link">&para;</a></h4>
<p>Module to import MISP JSON format for merging MISP events.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>MISP Event</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="ocr-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py">OCR Import</a><a class="headerlink" href="#ocr-import" title="Permanent link">&para;</a></h4>
<p>Optical Character Recognition (OCR) module for MISP.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>Image</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>freetext MISP attribute</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="openioc-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py">OpenIOC Import</a><a class="headerlink" href="#openioc-import" title="Permanent link">&para;</a></h4>
<p>Module to import OpenIOC packages.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>OpenIOC packages</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<p><a href="https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html">https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html</a></p>
</blockquote>
</li>
<li>
<p><strong>requirements</strong>:</p>
<blockquote>
<p>PyMISP</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="taxii-21-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py">TAXII 2.1 Import</a><a class="headerlink" href="#taxii-21-import" title="Permanent link">&para;</a></h4>
<p>Import content from a TAXII 2.1 server
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/taxii21.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote></blockquote>
</li>
<li>
<p><strong>config</strong>:</p>
<blockquote>
<p>stix_object_limit</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="threadanalyzer-sandbox-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py">ThreadAnalyzer Sandbox Import</a><a class="headerlink" href="#threadanalyzer-sandbox-import" title="Permanent link">&para;</a></h4>
<p>Module to import ThreatAnalyzer archive.zip / analysis.json files.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.
There is by the way no special feature for users to make the module work.</p>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>ThreatAnalyzer format file</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<p><a href="https://www.threattrack.com/malware-analysis.aspx">https://www.threattrack.com/malware-analysis.aspx</a></p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="url-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py">URL Import</a><a class="headerlink" href="#url-import" title="Permanent link">&para;</a></h4>
<p>Simple URL import tool with Faup
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/url_import.py">source code</a>]</p>
<ul>
<li><strong>features</strong>:<blockquote></blockquote>
</li>
</ul>
<hr />
<h4 id="vmray-api-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py">VMRay API Import</a><a class="headerlink" href="#vmray-api-import" title="Permanent link">&para;</a></h4>
<p><img src=../logos/vmray.png height=60></p>
<p>Module to import VMRay (VTI) results.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote>
<p>The module imports MISP Attributes from VMRay format, using the VMRay api.
Users should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.</p>
</blockquote>
</li>
<li>
<p><strong>config</strong>:</p>
<blockquote>
<ul>
<li>apikey</li>
<li>url</li>
<li>disable_tags</li>
<li>disable_misp_objects</li>
<li>ignore_analysis_finished</li>
</ul>
</blockquote>
</li>
<li>
<p><strong>input</strong>:</p>
<blockquote>
<p>VMRay format</p>
</blockquote>
</li>
<li>
<p><strong>output</strong>:</p>
<blockquote>
<p>MISP Event attributes</p>
</blockquote>
</li>
<li>
<p><strong>references</strong>:</p>
<blockquote>
<p><a href="https://www.vmray.com/">https://www.vmray.com/</a></p>
</blockquote>
</li>
<li>
<p><strong>requirements</strong>:</p>
<blockquote>
<p>vmray_rest_api</p>
</blockquote>
</li>
</ul>
<hr />
<h4 id="vmray-summary-json-import"><a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py">VMRay Summary JSON Import</a><a class="headerlink" href="#vmray-summary-json-import" title="Permanent link">&para;</a></h4>
<p>Import a VMRay Summary JSON report.
[<a href="https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_summary_json_import.py">source code</a>]</p>
<ul>
<li>
<p><strong>features</strong>:</p>
<blockquote></blockquote>
</li>
<li>
<p><strong>config</strong>:</p>
<blockquote>
<p>disable_tags</p>
</blockquote>
</li>
</ul>
<hr />
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
<div class="md-copyright__highlight">
Copyright &copy; 2019-2024 MISP Project
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-social">
<a href="https://twitter.com/MISPProject" target="_blank" rel="noopener" title="twitter.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
</a>
<a href="https://github.com/MISP" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 480 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1zM480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2zm-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3zm-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../assets/javascripts/bundle.fe8b6f2b.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink