Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| """ | |
| Export module for converting MISP events into ThreatConnect Structured Import files. This export data is meant to be used with the "Structured Import" ability of ThreatConnect. | |
| Source: http://kb.threatconnect.com/customer/en/portal/articles/1912599-using-structured-import/ | |
| Source: http://kb.threatconnect.com/customer/en/portal/articles/2092925-the-threatconnect-data-model/ | |
| """ | |
| import base64 | |
| import csv | |
| import io | |
| import json | |
| import logging | |
| misperrors = {"error": "Error"} | |
| moduleinfo = { | |
| "version": "0.1", | |
| "author": "CenturyLink CIRT", | |
| "description": "Export a structured CSV file for uploading to ThreatConnect", | |
| "module-type": ["export"] | |
| } | |
| # config fields expected from the MISP administrator | |
| # Default_Source: The source of the data. Typically this won't be changed from the default | |
| moduleconfig = ["Default_Source"] | |
| # Map of MISP fields => ThreatConnect fields | |
| fieldmap = { | |
| "domain": "Host", | |
| "domain|ip": "Host|Address", | |
| "hostname": "Host", | |
| "ip-src": "Address", | |
| "ip-dst": "Address", | |
| "ip-src|port": "Address", | |
| "ip-dst|port": "Address", | |
| "whois-registrant-email": "EmailAddress", | |
| "email-src": "EmailAddress", | |
| "email-dst": "EmailAddress", | |
| "url": "URL", | |
| "md5": "File", | |
| "filename|md5": "File" | |
| } | |
| # combine all the MISP fields from fieldmap into one big list | |
| mispattributes = { | |
| "input": list(fieldmap.keys()) | |
| } | |
| def handler(q=False): | |
| """ | |
| Convert a MISP query into a CSV file matching the ThreatConnect Structured Import file format. | |
| Input | |
| q: Query dictionary | |
| """ | |
| if q is False or not q: | |
| return False | |
| # Check if we were given a configuration | |
| request = json.loads(q) | |
| config = request.get("config", {"Default_Source": ""}) | |
| logging.info("Setting config to: %s", config) | |
| response = io.StringIO() | |
| writer = csv.DictWriter(response, fieldnames=["Type", "Value", "Source", "Description"]) | |
| writer.writeheader() | |
| # start parsing MISP data | |
| for event in request["data"]: | |
| for attribute in event["Attribute"]: | |
| if attribute["type"] in mispattributes["input"]: | |
| logging.debug("Adding %s to structured CSV export of ThreatConnectExport", attribute["value"]) | |
| if "|" in attribute["type"]: | |
| # if the attribute type has multiple values, line it up with the corresponding ThreatConnect values in fieldmap | |
| indicators = tuple(attribute["value"].split("|")) | |
| tc_types = tuple(fieldmap[attribute["type"]].split("|")) | |
| for i, indicator in enumerate(indicators): | |
| writer.writerow({ | |
| "Type": tc_types[i], | |
| "Value": indicator, | |
| "Source": config["Default_Source"], | |
| "Description": attribute["comment"] | |
| }) | |
| else: | |
| writer.writerow({ | |
| "Type": fieldmap[attribute["type"]], | |
| "Value": attribute["value"], | |
| "Source": config["Default_Source"], | |
| "Description": attribute["comment"] | |
| }) | |
| return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')} | |
| def introspection(): | |
| """ | |
| Relay the supported attributes to MISP. | |
| No Input | |
| Output | |
| Dictionary of supported MISP attributes | |
| """ | |
| modulesetup = { | |
| "responseType": "application/txt", | |
| "outputFileExtension": "csv", | |
| "userConfig": {}, | |
| "inputSource": [] | |
| } | |
| return modulesetup | |
| def version(): | |
| """ | |
| Relay module version and associated metadata to MISP. | |
| No Input | |
| Output | |
| moduleinfo: metadata output containing all potential configuration values | |
| """ | |
| moduleinfo["config"] = moduleconfig | |
| return moduleinfo |