MISP Action

[Mxrk]

Would be nice to be able to send alerts to MISP.

[d-Rickyy-b]

It would be awesome to have a new action which sends found pastes to a MISP instance.

To solve this issue there needs to be a new action added in the actions directory. The action must follow the example of the other actions in this directory. Don't forget to add the action to the action package file.

The most simple example for such an action is the GenericAction which executes a passed function.

The action must be able to send a new message to an existing MISP instance. Not using additional packages is highly preferred to keep the size of the application as small as possible.

Tests are not necessary but highly appreciated. If there are questions, don't hesitate to contact me.

[Zeroji]

I'd like to tackle this one. I've almost managed to get MISP to run in Docker, hopefully it works and then I can try out my code - automated tests won't be possible (by me at least) though.

I have questions regarding the data output:

{
    "Event":{
        "date": "2015-01-01",
        "threat_level_id": "1",
        "info": "testevent",
        "published": false,
        "analysis": "0",
        "distribution":"0",
        "Attribute": [{
            "type": "domain",
            "category":"Network activity",
            "to_ids": false,
            "distribution":"0",
            "comment":"",
            "value":"test.com"
        }]
    }
}

This is the sample event object in the MISP docs
that has to be passed to their API, but I have no idea what to specify for a lot of the values - I could use some input on that part :)

EDIT: looking around, shouldn't all custom actions extend BasicAction instead of GenericAction?

[Zeroji]

Work in progress in misp-action
I made the action have a transformer parameter which can be used to specify a function to transform a Paste into a MISP event object, still have to build a default one but it's on its way.

[d-Rickyy-b]

@Zeroji Hi, thanks for the work. I don't have time to check it currently. Will try to have a look tonight!

[d-Rickyy-b]

Hey, just seen your EDIT. Yes, you should extend BasicAction. The text does not say that you should extend GenericAction, I just wanted to say that it's the easiest (working) Action I built. But yes, I should have added what base class to extend :)

I will check out your PR tomorrow. Had a stressful day today. Thanks for participating.

[Zeroji]

No worries, take your time! However for your own sake try to find a running MISP instance, because it took Docker about an hour and a half to build mine 😛