misp-modules/misp_modules/modules/import_mod/joe_import.py

# -*- coding: utf-8 -*-
import base64
import json
from joe_parser import JoeParser

misperrors = {'error': 'Error'}
userConfig = {
    "Import Executable": {
        "type": "Boolean",
        "message": "Import Executable Information (PE, elf or apk for instance)",
    },
    "Mitre Att&ck": {
        "type": "Boolean",
        "message": "Import Mitre Att&ck techniques",
    },
}

inputSource = ['file']

moduleinfo = {
    'version': '0.2',
    'author': 'Christian Studer',
    'description': 'A module to import data from a Joe Sandbox analysis json report.',
    'module-type': ['import'],
    'name': 'Joe Sandbox Import',
    'logo': 'joesandbox.png',
    'requirements': [],
    'features': 'Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report.',
    'references': ['https://www.joesecurity.org', 'https://www.joesandbox.com/'],
    'input': 'Json report of a Joe Sandbox analysis.',
    'output': 'MISP attributes & objects parsed from the analysis report.',
}

moduleconfig = []


def handler(q=False):
    if q is False:
        return False
    q = json.loads(q)
    config = {
        "import_executable": bool(int(q["config"]["Import Executable"])),
        "mitre_attack": bool(int(q["config"]["Mitre Att&ck"])),
    }

    data = base64.b64decode(q.get('data')).decode('utf-8')
    if not data:
        return json.dumps({'success': 0})

    joe_parser = JoeParser(config)
    joe_parser.parse_data(json.loads(data)['analysis'])
    joe_parser.finalize_results()
    return {'results': joe_parser.results}


def introspection():
    modulesetup = {}
    try:
        userConfig
        modulesetup['userConfig'] = userConfig
    except NameError:
        pass
    try:
        inputSource
        modulesetup['inputSource'] = inputSource
    except NameError:
        pass
    modulesetup['format'] = 'misp_standard'
    return modulesetup


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo