threatStream_misp_export.py

"""
Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
"""

import base64
import csv
import io
import json
import logging


misperrors = {"error": "Error"}

moduleinfo = {
    "version": "1.0",
    "author": "Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT",
    "description": "Export a structured CSV file for uploading to ThreatStream",
    "module-type": ["export"]
}


moduleconfig = []


# Map of MISP fields => ThreatStream itypes, you can modify this to your liking
fieldmap = {
    "domain": "mal_domain",
    "hostname": "mal_domain",
    "ip-src": "mal_ip",
    "ip-dst": "mal_ip",
    "email-src": "phish_email",
    "url": "mal_url",
    "md5": "mal_md5",
}

# combine all the MISP fields from fieldmap into one big list
mispattributes = {
    "input": list(fieldmap.keys())
}


def handler(q=False):
    """
    Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
    Input
        q: Query dictionary
    """
    if q is False or not q:
        return False

    request = json.loads(q)

    response = io.StringIO()
    writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
    writer.writeheader()

    # start parsing MISP data
    for event in request["data"]:
        for attribute in event["Attribute"]:
            if attribute["type"] in mispattributes["input"]:
                logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
                if "|" in attribute["type"]:
                    # if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
                    indicators = tuple(attribute["value"].split("|"))
                    ts_types = tuple(fieldmap[attribute["type"]].split("|"))
                    for i, indicator in enumerate(indicators):
                        writer.writerow({
                            "value": indicator,
                            "itype": ts_types[i],
                            "tags": attribute["comment"]
                        })
                else:
                    writer.writerow({
                        "itype": fieldmap[attribute["type"]],
                        "value": attribute["value"],
                        "tags": attribute["comment"]
                    })

    return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}


def introspection():
    """
    Relay the supported attributes to MISP.
    No Input
    Output
        Dictionary of supported MISP attributes
    """
    modulesetup = {
        "responseType": "application/txt",
        "outputFileExtension": "csv",
        "userConfig": {},
        "inputSource": []
    }
    return modulesetup


def version():
    """
    Relay module version and associated metadata to MISP.
    No Input
    Output
        moduleinfo: metadata output containing all potential configuration values
    """
    moduleinfo["config"] = moduleconfig
    return moduleinfo
	"""
	Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
	Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
	"""

	import base64
	import csv
	import io
	import json
	import logging


	misperrors = {"error": "Error"}

	moduleinfo = {
	"version": "1.0",
	"author": "Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT",
	"description": "Export a structured CSV file for uploading to ThreatStream",
	"module-type": ["export"]
	}


	moduleconfig = []


	# Map of MISP fields => ThreatStream itypes, you can modify this to your liking
	fieldmap = {
	"domain": "mal_domain",
	"hostname": "mal_domain",
	"ip-src": "mal_ip",
	"ip-dst": "mal_ip",
	"email-src": "phish_email",
	"url": "mal_url",
	"md5": "mal_md5",
	}

	# combine all the MISP fields from fieldmap into one big list
	mispattributes = {
	"input": list(fieldmap.keys())
	}


	def handler(q=False):
	"""
	Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
	Input
	q: Query dictionary
	"""
	if q is False or not q:
	return False

	request = json.loads(q)

	response = io.StringIO()
	writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
	writer.writeheader()

	# start parsing MISP data
	for event in request["data"]:
	for attribute in event["Attribute"]:
	if attribute["type"] in mispattributes["input"]:
	logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
	if "\|" in attribute["type"]:
	# if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
	indicators = tuple(attribute["value"].split("\|"))
	ts_types = tuple(fieldmap[attribute["type"]].split("\|"))
	for i, indicator in enumerate(indicators):
	writer.writerow({
	"value": indicator,
	"itype": ts_types[i],
	"tags": attribute["comment"]
	})
	else:
	writer.writerow({
	"itype": fieldmap[attribute["type"]],
	"value": attribute["value"],
	"tags": attribute["comment"]
	})

	return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}


	def introspection():
	"""
	Relay the supported attributes to MISP.
	No Input
	Output
	Dictionary of supported MISP attributes
	"""
	modulesetup = {
	"responseType": "application/txt",
	"outputFileExtension": "csv",
	"userConfig": {},
	"inputSource": []
	}
	return modulesetup


	def version():
	"""
	Relay module version and associated metadata to MISP.
	No Input
	Output
	moduleinfo: metadata output containing all potential configuration values
	"""
	moduleinfo["config"] = moduleconfig
	return moduleinfo