valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 17:15:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

#14 Add a MISP search analyzer

Browse Source
This commit is contained in:
Antoine 2017-03-02 09:39:51 +00:00 committed by Nabil Adouani
parent 328e1f57b2
commit 96578309db
3 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
analyzers/MISP/MISP_Search.json Normal file
View File

@ -0,0 +1,12 @@
{
"name": "MISP_Search",
"version": "1.0",
"baseConfig": "MISP",
"config": {
"check_tlp": false,
"service": "search"
},
"description": "MISP Search",
"dataTypeList": ["domain", "filename", "fqdn", "hash", "ip", "mail", "mail_subject", "other", "regexp", "registry", "uri_path", "url", "user-agent"],
"command": "MISP/misp_analyzer.py"
}

89
analyzers/MISP/misp_analyzer.py Executable file
View File

@ -0,0 +1,89 @@
#!/usr/bin/env python
# encoding: utf-8
from cortexutils.analyzer import Analyzer
from pymisp import PyMISP
class MISPAnalyzer(Analyzer):
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None, 'MISP service is missing')
self.url = self.getParam('config.url', None, 'MISP url is missing')
self.api_key = self.getParam('config.api_key', None, 'MISP api_key is missing')
def summary(self, raw):
result = {
'service': self.service,
'dataType': self.data_type
}
# search service
if self.service == 'search':
if 'response' in raw and raw['response']:
result['results'] = len(raw['response'])
else:
result['results'] = 0
return result
def run(self):
Analyzer.run(self)
data = self.getData()
try:
# search service
if self.service == 'search':
misp = PyMISP(self.url, self.api_key)
result = misp.search_all(data)
events = []
if 'response' in result:
# Trim the report to make it readable in a browser
# Remove null events
result['response'] = list(filter(lambda e: e != {'Event': None}, result['response']))
for e in result['response']:
if 'Event' in e and e['Event']:
event = e['Event']
# Remove attributes
if 'Attribute' in event:
del event['Attribute']
# Remove org
if 'Org' in event:
del event['Org']
# Remove related events
if 'RelatedEvent' in event:
del event['RelatedEvent']
# Remove shadow attributes
if 'ShadowAttribute' in event:
del event['ShadowAttribute']
# Remove sharing group
if 'SharingGroup' in event:
del event['SharingGroup']
# Remove sharing group
if 'Galaxy' in event:
del event['Galaxy']
# Replace tags by a string array
if 'Tag' in event:
tags = list((t['name'] for t in event['Tag']))
del event['Tag']
event['tags'] = tags
# Add url to the MISP event
if 'id' in event:
event['url'] = self.url + '/events/view/' + event['id']
events.append(event)
self.report(events)
else:
self.error('Unknown MISP service')
except Exception as e:
self.unexpectedError(e)
if __name__ == '__main__':
MISPAnalyzer().run()

2
analyzers/MISP/requirements.txt Normal file
View File

@ -0,0 +1,2 @@
cortexutils
pymisp