intelmq-extensions 1.8.1__py3-none-any.whl → 1.10.0__py3-none-any.whl

intelmq_extensions/bots/collectors/modat/collector.py

@@ -0,0 +1,87 @@
+"""Collector of data from Modat API
+
+SPDX-FileCopyrightText: 2025 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+
+https://api.magnify.modat.io/docs
+
+Parameters:
+
+api_key
+# TODO: multiple queries in one bot?
+query
+type [service|host]
+
+# with defaults
+url = "https://api.magnify.modat.io/"
+page_size = 10
+max_results = 100
+
+# Standard Collector parameters
+name: Optional[str] = None
+accuracy: int = 100
+code: Optional[str] = None
+provider: Optional[str] = None
+documentation: Optional[str] = None
+"""
+
+import json
+from urllib.parse import urljoin
+
+from intelmq.lib.bot import CollectorBot
+from intelmq.lib.utils import create_request_session
+
+
+class ModatCollectorBot(CollectorBot):
+    url: str = "https://api.magnify.modat.io/"
+    page_size = 10
+    max_results = 100
+
+    api_key: str
+    query: str
+    type: str  # service|host
+
+    def init(self):
+        self.set_request_parameters()
+        self.session = create_request_session(self)
+        self.session.headers = {"Authorization": f"Bearer {self.api_key}"}
+
+    def process(self):
+        page = 1
+        collected_results = 0
+        total_available = self.page_size
+
+        if self.type == "host":
+            url = urljoin(self.url, "/host/search/v1")
+        else:
+            url = urljoin(self.url, "/service/search/v1")
+
+        while (
+            total_available > collected_results and collected_results < self.max_results
+        ):
+            result = self.session.post(
+                url,
+                json={"page": page, "page_size": self.page_size, "query": self.query},
+            )
+            if result.status_code != 200:
+                self.logger.error("Modat responded with error %d.", result.status_code)
+                self.logger.debug("Modat response: %s.", result.text)
+                raise RuntimeError(
+                    "Cannot retrieve data from Modat.", detail=result.text
+                )
+
+            data = result.json()
+            report = self.new_report()
+            report.add("raw", json.dumps(data["page"]))
+            self.send_message(report)
+
+            page += 1
+            collected_results += len(data["page"])
+            total_available = data["total_records"]
+
+    # @staticmethod
+    # def check(parameters: dict) -> list[list[str]] or None:
+    #     pass
+
+
+BOT = ModatCollectorBot

intelmq_extensions/bots/experts/replace_in_dict/expert.py

@@ -0,0 +1,42 @@
+# -*- coding: utf-8 -*-
+"""
+ReplaceInDict allow replacing pattern in any text field in a dict field(s)
+"""
+
+from intelmq.lib.bot import ExpertBot
+from intelmq.lib.exceptions import ConfigurationError, KeyNotExists
+
+
+class ReplaceInDictExpertBot(ExpertBot):
+    old_value: str = None
+    new_value: str = None
+    fields: str = None  # actually str | list on newer Python
+
+    def init(self):
+        if isinstance(self.fields, str):
+            self.fields = self.fields.split(",")
+        for field in self.fields:
+            definition = self.harmonization["event"][field]
+            if definition["type"] != "JSONDict":
+                raise ConfigurationError("Field is not a JSONDict", field)
+
+    def process(self):
+        event = self.receive_message()
+
+        for field in self.fields:
+            for name, value in event.finditems(f"{field}."):
+                if isinstance(value, str):
+                    try:
+                        event.change(
+                            name, value.replace(self.old_value, self.new_value)
+                        )
+                    except KeyNotExists:
+                        # Safeguard for an edge case if we would get default value
+                        # of an non-existing field
+                        pass
+
+        self.send_message(event)
+        self.acknowledge_message()
+
+
+BOT = ReplaceInDictExpertBot

intelmq_extensions/bots/parsers/modat/parser.py

@@ -0,0 +1,92 @@
+"""Parsing Modat search requests
+
+Currently supporting only host search results
+
+SPDX-FileCopyrightText: 2025 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+import json
+from datetime import datetime, timezone
+
+import intelmq.lib.message as message
+from intelmq.lib import utils
+from intelmq.lib.bot import ParserBot
+
+
+class ModatParserBot(ParserBot):
+    def parse(self, report: message.Report):
+        raw_report = utils.base64_decode(report.get("raw"))
+        report_data = json.loads(raw_report)
+
+        for entry in report_data:
+            self._current_line = json.dumps(entry)
+            yield entry
+
+    def parse_line(self, line: dict, report: message.Report):
+        event = self.new_event(report)
+        event.add("raw", self._current_line)
+
+        event.add("source.ip", line.get("ip"), raise_failure=False)
+        event.add(
+            "source.geolocation.cc",
+            line.get("geo", {}).get("country_iso_code"),
+            raise_failure=False,
+        )
+        event.add(
+            "source.geolocation.country",
+            line.get("geo", {}).get("country_name"),
+            raise_failure=False,
+        )
+        event.add(
+            "source.geolocation.city",
+            line.get("geo", {}).get("city_name"),
+            raise_failure=False,
+        )
+
+        event.add("source.asn", line.get("asn", {}).get("number"), raise_failure=False)
+        event.add("source.as_name", line.get("asn", {}).get("org"), raise_failure=False)
+        fqdns = line.get("fqdns", [])
+        if fqdns:
+            event.add("source.fqdn", fqdns[0], raise_failure=False)
+        if len(fqdns) > 1:
+            event.add("extra.fqdns", ";".join(fqdns), raise_failure=False)
+        event.add("extra.tag", ";".join(line.get("tags", [])), raise_failure=False)
+
+        cves = ";".join(cve.get("id", "").lower() for cve in line.get("cves", []))
+        if cves:
+            event.add("product.vulnerabilities", cves, raise_failure=False)
+
+        services = line.get("services", [])
+        last_scanned = datetime.now(tz=timezone.utc)
+        if services:
+            last_scanned = max(s["scanned_at"] for s in services)
+            event.add("extra.services", services, raise_failure=False)
+
+            for service in services:
+                # This is what we were looking for
+                if service["is_match"]:
+                    event.add(
+                        "protocol.application",
+                        service.get("protocol"),
+                        ignore=(None, "unknown"),
+                        raise_failure=False,
+                    )
+                    event.add(
+                        "protocol.transport",
+                        service.get("transport"),
+                        raise_failure=False,
+                    )
+                    event.add("source.port", service.get("port"), raise_failure=False)
+
+                    last_scanned = service.get("scanned_at") or last_scanned
+
+                    # TODO: emit more events?
+                    break
+
+        event.add("time.source", last_scanned, raise_failure=False)
+
+        return event
+
+
+BOT = ModatParserBot

intelmq_extensions/etc/harmonization.conf

@@ -1,5 +1,33 @@
 {
     "event": {
+        "destination_visible": {
+            "description": "If destination fields are visible. CERT.at-specific",
+            "type": "Boolean"
+        },
+        "notify": {
+            "description": "If mail will be sent out to affected or responsible contact. CERT.at-specific",
+            "type": "Boolean"
+        },
+        "rtir_incident_id": {
+            "description": "Request Tracker Incident Response incident id. CERT.at-specific",
+            "type": "Integer"
+        },
+        "rtir_investigation_id": {
+            "description": "Request Tracker Incident Response investigation id. CERT.at-specific",
+            "type": "Integer"
+        },
+        "rtir_report_id": {
+            "description": "Request Tracker Incident Response incident report id. CERT.at-specific",
+            "type": "Integer"
+        },
+        "sent_at": {
+            "description": "Time when the report has been sent to the responsible recipient. CERT.at-specific",
+            "type": "DateTime"
+        },
+        "shareable_extra_info": {
+            "description": "Fields from extra which can be shared. CERT.at-specific",
+            "type": "JSON"
+        },
         "classification.identifier": {
             "description": "The lowercase identifier defines the actual software or service (e.g. ``heartbleed`` or ``ntp_version``) or standardized malware name (e.g. ``zeus``). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.",
             "type": "String"
@@ -7,7 +35,7 @@
         "classification.taxonomy": {
             "description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check `ENISA taxonomies <http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies>`_.",
             "length": 100,
-            "type": "LowercaseString"
+            "type": "ClassificationTaxonomy"
         },
         "classification.type": {
             "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid *type explosion*, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.",
@@ -17,6 +45,10 @@
             "description": "Free text commentary about the abuse event inserted by an analyst.",
             "type": "String"
         },
+        "constituency": {
+            "description": "Internal identifier for multi-constituency setup",
+            "type": "String"
+        },
         "destination.abuse_contact": {
             "description": "Abuse contact for destination address. A comma separated list.",
             "type": "LowercaseString"
@@ -81,11 +113,11 @@
             "type": "IPAddress"
         },
         "destination.local_hostname": {
-            "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromized system",
+            "description": "Some sources report an internal hostname within a NAT related to the name configured for a compromised system",
             "type": "String"
         },
         "destination.local_ip": {
-            "description": "Some sources report a internal (NATed) IP address related a compromized system. N.B. RFC1918 IPs are OK here.",
+            "description": "Some sources report an internal (NATed) IP address related a compromised system. N.B. RFC1918 IPs are OK here.",
             "type": "IPAddress"
         },
         "destination.network": {
@@ -118,10 +150,6 @@
             "description": "The path portion of an HTTP or related network request.",
             "type": "String"
         },
-        "destination_visible": {
-            "description": "If destination fields are visible.",
-            "type": "Boolean"
-        },
         "event_description.target": {
             "description": "Some sources denominate the target (organization) of a an attack.",
             "type": "String"
@@ -144,6 +172,10 @@
             "description": "All anecdotal information, which cannot be parsed into the data harmonization elements. E.g. os.name, os.version, etc.  **Note**: this is only intended for mapping any fields which can not map naturally into the data harmonization. It is not intended for extending the data harmonization with your own fields.",
             "type": "JSONDict"
         },
+        "extra.min_amplification": {
+            "description": "Temporal definition to make sieve work properly",
+            "type": "Float"
+        },
         "feed.accuracy": {
             "description": "A float between 0 and 100 that represents how accurate the data in the feed is",
             "type": "Accuracy"
@@ -209,14 +241,30 @@
             "regex": "^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[0-9a-z]{12}$",
             "type": "LowercaseString"
         },
-        "notify": {
-            "description": "If mail will be sent out to affected or responsible contact.",
-            "type": "Boolean"
-        },
         "output": {
             "description": "Event data converted into foreign format, intended to be exported by output plugin.",
             "type": "JSON"
         },
+        "product.full_name": {
+            "description": "A human readable product name. If a machine-readable format isn't available, this field should be used. It can directly use the version identification strings presented by the product. If not given, a good enough value can usually be constructed by concatenating product.product and product.version, or by consulting external sources such as the CPE Product Dictionary. Example: openssh_/8.9",
+            "type": "String"
+        },
+        "product.name": {
+            "description": "Product name, recommended being as the product in the CPE format. Example: openssh",
+            "type": "LowercaseString"
+        },
+        "product.vendor": {
+            "description": "Vendor name, recommended being as vendor in the CPE format. Example: openbsd",
+            "type": "LowercaseString"
+        },
+        "product.version": {
+            "description": "Product version, recommended being as version in the CPE format. Example: 8.9",
+            "type": "LowercaseString"
+        },
+        "product.vulnerabilities": {
+            "description": "List of vulnerability IDs, separated by semicolons. It's recommended to use a CVE ID where available, and other easily retrievable IDs in other cases, e.g. Github Advisory Database ID. Each vulnerability should only be listed once, and multiple values should be used if there are several different vulnerabilities. However, it's not necessary for a source to list all possible vulnerabilities for a given piece of software. Example: cve-2023-38408;cve-2023-28531;cve-2008-3844;cve-2007-2768",
+            "type": "LowercaseString"
+        },
         "protocol.application": {
             "description": "e.g. vnc, ssh, sip, irc, http or smtp.",
             "length": 100,
@@ -233,29 +281,19 @@
             "description": "The original line of the event from encoded in base64.",
             "type": "Base64"
         },
-        "rtir_incident_id": {
-            "description": "Request Tracker Incident Response incident id.",
-            "type": "Integer"
-        },
-        "rtir_investigation_id": {
-            "description": "Request Tracker Incident Response investigation id.",
-            "type": "Integer"
-        },
-        "rtir_report_id": {
-            "description": "Request Tracker Incident Response incident report id.",
+        "rtir_id": {
+            "description": "Request Tracker Incident Response ticket id.",
             "type": "Integer"
         },
         "screenshot_url": {
             "description": "Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.",
             "type": "URL"
         },
-        "sent_at": {
-            "description": "Time when the report has been sent to the responsible recipient.",
-            "type": "DateTime"
-        },
-        "shareable_extra_info": {
-            "description": "Fields from extra which can be shared.",
-            "type": "JSON"
+        "severity": {
+            "description": "Severity of the event, based on the information from the source, and eventually modified by IntelMQ during processing. Meaning of the levels may differ based on the event source. Allowed values: critical (highly critical vulnerabilities being actively exploited and pose a very high likelihood of compromise. For example, RCEs, sensitive data access), high (end of life systems, accessible internal systems that should not be exposed, risk of data leaks, malware drone and sinkhole events), medium (DDoS-amplifiers, unencrypted services requiring login, vulnerabilities requiring MITM to exploit, attacks need prior knowledge), low (deviation from best practice, little to no practical way to exploit, but setup is not ideal), info (informational only, no known risk), undefined (unknown or undetermined)",
+            "length": 10,
+            "regex": "^(critical|high|medium|low|info|undefined)$",
+            "type": "LowercaseString"
         },
         "source.abuse_contact": {
             "description": "Abuse contact for source address. A comma separated list.",
@@ -389,6 +427,10 @@
         }
     },
     "report": {
+        "rtir_report_id": {
+            "description": "Request Tracker Incident Response incident report id. CERT.at-specific",
+            "type": "Integer"
+        },
         "extra": {
             "description": "All anecdotal information of the report, which cannot be parsed into the data harmonization elements. E.g. subject of mails, etc. This is data is not automatically propagated to the events.",
             "type": "JSONDict"
@@ -422,8 +464,8 @@
             "description": "The original raw and unparsed data encoded in base64.",
             "type": "Base64"
         },
-        "rtir_report_id": {
-            "description": "Request Tracker Incident Response incident report id.",
+        "rtir_id": {
+            "description": "Request Tracker Incident Response ticket id.",
             "type": "Integer"
         },
         "time.observation": {
@@ -431,4 +473,4 @@
             "type": "DateTime"
         }
     }
-}
+}

intelmq_extensions/tests/bots/collectors/modat/test_collector.py

@@ -0,0 +1,112 @@
+"""Tests for Modat Collector
+
+SPDX-FileCopyrightText: 2025 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+import json
+import unittest
+from unittest import mock
+
+import intelmq.lib.message as message
+import requests
+from requests_mock import MockerCore
+
+from intelmq_extensions.bots.collectors.modat.collector import ModatCollectorBot
+
+from ....base import BotTestCase
+
+
+class TestModatCollectorBot(BotTestCase, unittest.TestCase):
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ModatCollectorBot
+        cls.sysconfig = {
+            "query": "test-query",
+            "type": "host",
+            "api_key": "secure-api-key",
+            "code": "feed-code",
+        }
+
+    def mock_http_session(self):
+        session = requests.Session()
+        session_mock = mock.patch(
+            "intelmq_extensions.bots.collectors.modat.collector.create_request_session",
+            return_value=session,
+        )
+        session_mock.start()
+        self.addCleanup(session_mock.stop)
+
+        self.requests = MockerCore(session=session)
+        self.requests.start()
+        self.addCleanup(self.requests.stop)
+
+    def setUp(self):
+        super().setUp()
+        self.mock_http_session()
+
+    def mock_request(
+        self,
+        path: str,
+        expected_query: str = "test-query",
+        expected_page: int = 1,
+        expected_page_size: int = 10,
+        **kwargs,
+    ):
+        def check_request(request):
+            if request.headers.get("Authorization", "") != "Bearer secure-api-key":
+                return False
+            if request.json()["query"] != expected_query:
+                return False
+            if request.json()["page"] != expected_page:
+                return False
+            if request.json()["page_size"] != expected_page_size:
+                return False
+            return True
+
+        self.requests.post(
+            f"https://api.magnify.modat.io/{path}",
+            status_code=200,
+            additional_matcher=check_request,
+            **kwargs,
+        )
+
+    def _create_report_dict(self, data, **kwargs):
+        report = message.Report(kwargs, harmonization=self.harmonization)
+        report.add("feed.name", "Test Bot")
+        report.add("feed.accuracy", 100.0)
+        report.add("feed.code", "feed-code")
+        report.add("raw", json.dumps(data))
+        return report.to_dict(with_type=True)
+
+    def test_query_hosts(self):
+        self.mock_request(
+            "host/search/v1",
+            json={
+                "page_nr": 1,
+                "total_pages": 1,
+                "total_records": 4,
+                "page": [{"ip": "ip1"}, {"ip": "ip2"}],
+            },
+        )
+        self.mock_request(
+            "host/search/v1",
+            json={
+                "page_nr": 2,
+                "total_pages": 1,
+                "total_records": 4,
+                "page": [{"ip": "ip3"}, {"ip": "ip4"}],
+            },
+            expected_page=2,
+        )
+
+        self.run_bot()
+
+        self.assertOutputQueueLen(2)
+        self.assertMessageEqual(
+            0, self._create_report_dict([{"ip": "ip1"}, {"ip": "ip2"}])
+        )
+        self.assertMessageEqual(
+            1, self._create_report_dict([{"ip": "ip3"}, {"ip": "ip4"}])
+        )
+        self.assertEqual(2, self.requests.call_count)

intelmq_extensions/tests/bots/experts/replace_in_dict/test_expert.py

@@ -0,0 +1,92 @@
+# -*- coding: utf-8 -*-
+"""
+Testing ReplaceInDictExpertBot.
+"""
+
+import copy
+import unittest
+
+from intelmq.lib.exceptions import ConfigurationError
+
+from intelmq_extensions.bots.experts.replace_in_dict.expert import (
+    ReplaceInDictExpertBot,
+)
+
+from ....base import BotTestCase
+
+
+class TestReplaceInDictExpertBot(BotTestCase, unittest.TestCase):
+    """
+    A TestCase for ReplaceInDictExpertBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ReplaceInDictExpertBot
+        cls.sysconfig = {
+            "old_value": "\\u0000",
+            "new_value": "[nullbyte]",
+            "fields": "extra",
+        }
+        cls.default_input_message = {"__type": "Event"}
+
+    def test_event_no_changes(self):
+        message = {
+            "__type": "Event",
+            "time.observation": "2015-01-01T00:00:00+00:00",
+            "extra.payload": "foo",
+            "extra.name": "bar",
+            "extra.firmwarerev": 1,
+        }
+        self.input_message = copy.deepcopy(message)
+        self.run_bot()
+        self.assertMessageEqual(0, message)
+
+    def test_event_no_extra(self):
+        message = {
+            "__type": "Event",
+            "time.observation": "2015-01-01T00:00:00+00:00",
+            "feed.code": "foo",
+        }
+        self.input_message = copy.deepcopy(message)
+        self.run_bot()
+        self.assertMessageEqual(0, message)
+
+    def test_event_changes_one_dict(self):
+        message = {
+            "__type": "Event",
+            "time.observation": "2015-01-01T00:00:00+00:00",
+            "extra.payload": "foo\\u0000bar\\u0000",
+            "extra.name": "bar ok \\u0001 and not ok \\\\u0000",
+            "extra.firmwarerev": 1,
+            "feed.code": "foo",
+        }
+        self.input_message = copy.deepcopy(message)
+        self.run_bot()
+
+        message["extra.payload"] = "foo[nullbyte]bar[nullbyte]"
+        message["extra.name"] = "bar ok \\u0001 and not ok \\[nullbyte]"
+        self.assertMessageEqual(0, message)
+
+    def test_event_multiple_dict_fail_if_not_jsondict(self):
+        with self.assertRaises(ConfigurationError):
+            self.run_bot(
+                parameters={
+                    "fields": "extra,output",
+                }
+            )
+
+    def test_event_other_fields_not_modified(self):
+        message = {
+            "__type": "Event",
+            "time.observation": "2015-01-01T00:00:00+00:00",
+            "feed.code": "foo\\u0000",
+        }
+        self.input_message = copy.deepcopy(message)
+        self.run_bot()
+
+        self.assertMessageEqual(0, message)
+
+
+if __name__ == "__main__":
+    unittest.main()

intelmq_extensions/tests/bots/parsers/modat/data.py

@@ -0,0 +1,135 @@
+"""Data for tests for ModatParserBot
+
+SPDX-FileCopyrightText: 2025 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+RESPONSE_1 = [
+    {
+        "ip": "127.0.0.1",
+        "geo": {
+            "city_name": "Vienna",
+            "country_name": "Austria",
+            "country_iso_code": "AT",
+        },
+        "asn": {"number": 8412, "org": "T-Mobile Austria GmbH"},
+        "fqdns": ["domain.example.at", "device-123.example.at"],
+        "is_anycast": False,
+        "tags": [],
+        "cves": [
+            {"id": "CVE-2020-11985", "cvss": 5.3, "is_kev": False},
+            {"id": "CVE-2025-3891", "cvss": 7.5, "is_kev": False},
+        ],
+        "services": [
+            {
+                "transport": "tcp",
+                "port": 8443,
+                "ports": [8443],
+                "last_scanned_port": 8443,
+                "protocol": "http",
+                "scanned_at": "2025-12-17T03:57:49Z",
+                "is_match": False,
+            },
+            {
+                "transport": "tcp",
+                "port": 49592,
+                "ports": [49592],
+                "last_scanned_port": 49592,
+                "protocol": "http",
+                "scanned_at": "2025-05-29T20:24:10.308508Z",
+                "is_match": True,
+            },
+            {
+                "transport": "tcp",
+                "port": 39895,
+                "ports": [39895],
+                "last_scanned_port": 39895,
+                "protocol": "unknown",
+                "scanned_at": "2025-11-22T12:22:14Z",
+                "is_match": True,
+            },
+        ],
+    },
+    {
+        "ip": "127.0.0.2",
+        "geo": {
+            "city_name": "Feldkirch",
+            "country_name": "Austria",
+            "country_iso_code": "AT",
+        },
+        "asn": {"number": 5385, "org": "Russmedia IT GmbH"},
+        "fqdns": [],
+        "is_anycast": False,
+        "tags": [],
+        "cves": [
+            {"id": "CVE-2016-1247", "cvss": 7.8, "is_kev": False},
+            {"id": "CVE-2017-20005", "cvss": 9.8, "is_kev": False},
+        ],
+        "services": [
+            {
+                "transport": "tcp",
+                "port": 44302,
+                "ports": [44302],
+                "last_scanned_port": 44302,
+                "protocol": "unknown",
+                "scanned_at": "2025-11-24T00:30:40Z",
+                "is_match": True,
+            },
+            {
+                "transport": "tcp",
+                "port": 443,
+                "ports": [443],
+                "last_scanned_port": 443,
+                "protocol": "http",
+                "scanned_at": "2025-12-15T15:54:24Z",
+                "is_match": False,
+            },
+            {
+                "transport": "tcp",
+                "port": 8443,
+                "ports": [8443],
+                "last_scanned_port": 8443,
+                "protocol": "http",
+                "scanned_at": "2025-12-16T22:49:47Z",
+                "is_match": False,
+            },
+        ],
+    },
+]
+
+EVENT_1 = {
+    # "raw": RESPONSE1[0],
+    "source.ip": "127.0.0.1",
+    "source.geolocation.cc": "AT",
+    "source.geolocation.country": "Austria",
+    "source.geolocation.city": "Vienna",
+    "extra": {
+        "services": RESPONSE_1[0]["services"],
+        "fqdns": "domain.example.at;device-123.example.at",
+    },
+    "product.vulnerabilities": "cve-2020-11985;cve-2025-3891",
+    "protocol.application": "http",
+    "protocol.transport": "tcp",
+    "source.as_name": "T-Mobile Austria GmbH",
+    "source.asn": 8412,
+    "source.fqdn": "domain.example.at",
+    "source.port": 49592,
+    "time.source": "2025-05-29T20:24:10.308508+00:00",
+}
+
+EVENT_2 = {
+    # "raw": RESPONSE1[1],
+    "source.ip": "127.0.0.2",
+    "source.geolocation.cc": "AT",
+    "source.geolocation.country": "Austria",
+    "source.geolocation.city": "Feldkirch",
+    "extra": {
+        "services": RESPONSE_1[1]["services"],
+    },
+    "product.vulnerabilities": "cve-2016-1247;cve-2017-20005",
+    "protocol.transport": "tcp",
+    "source.as_name": "Russmedia IT GmbH",
+    "source.asn": 5385,
+    "source.port": 44302,
+    "time.source": "2025-11-24T00:30:40+00:00",
+}

intelmq_extensions/tests/bots/parsers/modat/test_parser.py

@@ -0,0 +1,83 @@
+"""Tests for ModatParserBot
+
+SPDX-FileCopyrightText: 2025 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+import json
+import unittest
+from datetime import datetime
+
+import intelmq.lib.message as message
+from dateutil.tz import UTC
+
+from intelmq_extensions.bots.parsers.modat.parser import ModatParserBot
+
+from ....base import BotTestCase
+from . import data
+
+
+class TestModatParserBot(BotTestCase, unittest.TestCase):
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ModatParserBot
+        cls.sysconfig = {
+            "default_fields": {
+                "classification.taxonomy": "other",
+                "classification.type": "other",
+                "classification.identifier": "something",
+            }
+        }
+
+    def _create_report_dict(self, raw, **kwargs):
+        data = {
+            "feed.name": "Test Bot",
+            "feed.accuracy": 100.0,
+            "feed.code": "feed-code",
+            "time.observation": datetime(2023, 1, 1, tzinfo=UTC).isoformat(),
+        }
+        data.update(kwargs)
+        report = message.Report(data, harmonization=self.harmonization)
+        report.add("raw", json.dumps(raw))
+        return report.to_dict(with_type=True)
+
+    def _create_event_dict(
+        self,
+        extra: dict,
+        # raw: dict,
+        **kwargs,
+    ):
+        data = {
+            "classification.identifier": "something",
+            "classification.taxonomy": "other",
+            "classification.type": "other",
+            "time.observation": datetime(2023, 1, 1, tzinfo=UTC).isoformat(),
+            "feed.accuracy": 100.0,
+            "feed.code": "feed-code",
+            "feed.name": "Test Bot",
+        }
+        data.update(kwargs)
+        event = message.Event(data, harmonization=self.harmonization)
+        event.add("extra", extra)
+        # event.add(
+        #     "raw", json.dumps(raw)
+        # )
+        return event.to_dict(with_type=True)
+
+    def test_parsing_report_default(self):
+        self.input_message = self._create_report_dict(data.RESPONSE_1)
+
+        self.run_bot()
+
+        self.assertMessageEqual(
+            0,
+            self._create_event_dict(
+                **data.EVENT_1,
+            ),
+            compare_raw=False,
+        )
+        self.assertMessageEqual(
+            1,
+            self._create_event_dict(**data.EVENT_2),
+            compare_raw=False,
+        )

{intelmq_extensions-1.8.1.dist-info → intelmq_extensions-1.10.0.dist-info}/METADATA

@@ -1,22 +1,22 @@
 Metadata-Version: 2.4
 Name: intelmq_extensions
-Version: 1.8.1
+Version: 1.10.0
 Summary: Additional bots for IntelMQ
 Author: CERT.at Data & Development Team
 License: AGPLv3
 Project-URL: Repository, https://github.com/certat/intelmq-extensions
 Classifier: Programming Language :: Python :: 3
-Requires-Python: >=3.7
+Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: rt<3.0.0,>=1.0.9
-Requires-Dist: mergedeep
 Requires-Dist: intelmq
-Requires-Dist: tabulate>=0.7.5
+Requires-Dist: importlib_metadata; python_version < "3.8"
 Requires-Dist: psycopg2-binary
 Requires-Dist: netaddr>=0.7.14
+Requires-Dist: rt<3.0.0,>=1.0.9
+Requires-Dist: tabulate>=0.7.5
 Requires-Dist: python-termstyle>=0.1.10
-Requires-Dist: importlib_metadata; python_version < "3.8"
+Requires-Dist: mergedeep
 Provides-Extra: dev
 Requires-Dist: pytest; extra == "dev"
 Requires-Dist: tox>=4; extra == "dev"
@@ -30,14 +30,25 @@ Dynamic: requires-dist
 
 # IntelMQ Extensions
 
-This project collects customized bots used primary by CERT.at.
+[![Running tests](https://github.com/certat/intelmq-extensions/actions/workflows/ci.yml/badge.svg)](https://github.com/certat/intelmq-extensions/actions/workflows/ci.yml)
+
+This project collects customized bots and some helper scripts for
+[IntelMQ](https://github.com/certtools/intelmq) used primary by CERT.at.
+
+It's a combination of customization previously available in [certat/intelmq](https://github.com/certat/intelmq)
+as well as newer solutions.
 
 ## Usage
 
-Install the package on the machine. Then, it's enough to just declare the bot's module
-pointing to this package, e.g. `intelmq_extensions.bots.collectors.xmpp`
+Install the package on the machine or virtualenv, where you have the IntelMQ, using
+`pip install intelmq-extensions`. Then, the bots will be available as any other IntelMQ
+bot in the Manager as well to import using `intelmq.bots.*.certat` namespace, e.g.
+`intelmq.bots.experts.certat.vulnerability_lookup.expert`
 
+## Documentation
 
+There is a limited documentation available. Consult bot Python code to see information
+about the usage and available configuration.
 
 ## Running tests
 
@@ -58,3 +69,9 @@ This package comes with test runners configured using `tox`. To use them:
     tox -efull-with-docker -- intelmq_extensions/tests/bots/experts/squelcher/test_expert.py::TestSquelcherExpertBot::test_address_match1
 
 ```
+
+---
+
+Part of the development was financed by the European Union.
+
+![CEF-Logo](https://github.com/certat/intelmq-extensions/blob/main/docs/cef_logo.png?raw=true)

{intelmq_extensions-1.8.1.dist-info → intelmq_extensions-1.10.0.dist-info}/RECORD

@@ -6,6 +6,8 @@ intelmq_extensions/bots/collectors/blackkite/collector.py,sha256=ZpAgJOOMKRh-q2T
 intelmq_extensions/bots/collectors/disp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/bots/collectors/disp/_client.py,sha256=iLHDV6gu2uBwUPUe8x_rIVfnTrrjgIUdk9khFigXYX8,3929
 intelmq_extensions/bots/collectors/disp/collector.py,sha256=j1EEQx8awDxLs-K1vl7tjBQ2GaRRGhsaZ_mICeUdjrw,3374
+intelmq_extensions/bots/collectors/modat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+intelmq_extensions/bots/collectors/modat/collector.py,sha256=PGtbHkgvay2vtzl9n8iugh1mb7peXOIEf8fVZnRP4KA,2343
 intelmq_extensions/bots/collectors/xmpp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/bots/collectors/xmpp/collector.py,sha256=6jOSwjkHCuPQShG_2gwczrxIevUA83-Go18mrlvFmzw,7415
 intelmq_extensions/bots/experts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -17,6 +19,8 @@ intelmq_extensions/bots/experts/event_group_splitter/__init__.py,sha256=47DEQpj8
 intelmq_extensions/bots/experts/event_group_splitter/expert.py,sha256=Jq9v1p94dwbiFKeaulf7pg5XA15hlb967Wwvjp-fZ3g,4095
 intelmq_extensions/bots/experts/event_splitter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/bots/experts/event_splitter/expert.py,sha256=DcAXwapXMmP-IP7sPwDBWJ9cMu9UCcKh3nJPSDJbGfU,1204
+intelmq_extensions/bots/experts/replace_in_dict/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+intelmq_extensions/bots/experts/replace_in_dict/expert.py,sha256=GyevseD5n5E5cNO_6PZqnK8gZhILplPvLcwyS6iXNks,1375
 intelmq_extensions/bots/experts/squelcher/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/bots/experts/squelcher/expert.py,sha256=cvmA4N5MjC_QazcEmCgW_uffn0P-4jPIPMikjtOcEd0,11022
 intelmq_extensions/bots/experts/vulnerability_lookup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -36,12 +40,14 @@ intelmq_extensions/bots/parsers/disp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeu
 intelmq_extensions/bots/parsers/disp/parser.py,sha256=co-eOx8aR3-z2BYe50Rlyr9dYWlX1w0ZoBAFZVgCdbg,4401
 intelmq_extensions/bots/parsers/malwaredomains/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/bots/parsers/malwaredomains/parser.py,sha256=FEp0YxZ44bD5KoeO162nRols48Xtq_8haAA8zA7BgZg,1996
+intelmq_extensions/bots/parsers/modat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+intelmq_extensions/bots/parsers/modat/parser.py,sha256=VanWdV8RhTcqlwGlbrtJ848GG9s0DVSAPE93nGZhLpk,3165
 intelmq_extensions/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/cli/create_reports.py,sha256=aPANN6VeHQhTSl6XT0SKulo9WhEuR1lFZVfWJ3TaOYk,5591
 intelmq_extensions/cli/intelmqcli.py,sha256=1DhGm_wAyyUEA45CEFkbLN-k29O9o6XPcSZFvjOc_Ls,24085
 intelmq_extensions/cli/lib.py,sha256=mrMuRVvd-nKd1ASVBhTZn28B13VIK6VVSv-MZO2FFx4,20767
 intelmq_extensions/cli/utils.py,sha256=CpK4rvYtJDYiW5CDhxtBwK7VIY-MOV6FSSEQpwf4HmE,410
-intelmq_extensions/etc/harmonization.conf,sha256=n6PXTYYD5LQRIBgNmDIeco1dy5gwxu77_g_qj6P8Qz8,22018
+intelmq_extensions/etc/harmonization.conf,sha256=8kxVSdZEFE7ik1XL1np_vHd3CvTasQ8N4w5hUdMW3YU,25393
 intelmq_extensions/etc/squelcher.conf,sha256=36hrMfzBL2C36tFExvDc4OxmIA_Z1x8UEUDfiY1vH5A,989
 intelmq_extensions/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/lib/api_helpers.py,sha256=wi4Jau_9MThoborMhAi4Qpq3w2sviHNpxSJDce1JXfw,3453
@@ -58,6 +64,8 @@ intelmq_extensions/tests/bots/collectors/disp/__init__.py,sha256=47DEQpj8HBSa-_T
 intelmq_extensions/tests/bots/collectors/disp/base.py,sha256=BDFdvkWs4hQNtYU35CaK_yLvIvk1DJnmclmrxpzNfBU,4655
 intelmq_extensions/tests/bots/collectors/disp/test_client.py,sha256=FsEUyhgWtv9OaPADhVv-FbG9lH5Vqk7hJ_mHTXYp0rA,4366
 intelmq_extensions/tests/bots/collectors/disp/test_collector.py,sha256=-yeRJPS1fqbbZhFAFMbivCEIsfn6Sr3nT77kyY_t7S4,4385
+intelmq_extensions/tests/bots/collectors/modat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+intelmq_extensions/tests/bots/collectors/modat/test_collector.py,sha256=aLaOnk0dbskygFNPmVNKGUAKm04DzFxkiQPf4tkd6V4,3332
 intelmq_extensions/tests/bots/collectors/xmpp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/tests/bots/collectors/xmpp/test_collector.py,sha256=KyzENq4kYkFvANy19IWhHSGGW9ed7vbFk_dDS-sag0I,187
 intelmq_extensions/tests/bots/experts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -69,6 +77,8 @@ intelmq_extensions/tests/bots/experts/event_group_splitter/__init__.py,sha256=47
 intelmq_extensions/tests/bots/experts/event_group_splitter/test_expert.py,sha256=FcuFOzOGctWQ0whG5e7t9_K2Vf7a_doDEl5WoWhDqq8,9124
 intelmq_extensions/tests/bots/experts/event_splitter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/tests/bots/experts/event_splitter/test_expert.py,sha256=KGjh86BacNiUcJGg8kxggHoJY3ORZPmPFmVPYJK0J6A,2752
+intelmq_extensions/tests/bots/experts/replace_in_dict/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+intelmq_extensions/tests/bots/experts/replace_in_dict/test_expert.py,sha256=aGJ0zGjU4qEKP4HLIF4LnFyze7I__DMrMJz6ynf5bko,2630
 intelmq_extensions/tests/bots/experts/squelcher/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/tests/bots/experts/squelcher/test_expert.py,sha256=oHE3E9q2fMwPVavgZM4Bs8kQCGehpMFEv3biJQs_JJk,17731
 intelmq_extensions/tests/bots/experts/vulnerability_lookup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -86,15 +96,18 @@ intelmq_extensions/tests/bots/parsers/disp/__init__.py,sha256=47DEQpj8HBSa-_TImW
 intelmq_extensions/tests/bots/parsers/disp/test_parser.py,sha256=geUXWaKpOUW_k9-Qb_VAtp99cr6vDTcnSBmT9LfDHec,9714
 intelmq_extensions/tests/bots/parsers/malwaredomains/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/tests/bots/parsers/malwaredomains/test_parser.py,sha256=zkfjcyniiPRcpABVurdRrRpZyZ2zV_PQ84xiU1eUJv0,1882
+intelmq_extensions/tests/bots/parsers/modat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+intelmq_extensions/tests/bots/parsers/modat/data.py,sha256=K4BVUxqm7zGHYittNmFC1FuLevCz6XapJAdhFY1EyOQ,4171
+intelmq_extensions/tests/bots/parsers/modat/test_parser.py,sha256=5Du2KG18F3BnvXrSckUojHoFSYyzWkyO24dMUqLlUMs,2401
 intelmq_extensions/tests/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/tests/cli/test_create_reports.py,sha256=hZ-3lhNJJPhi9xetyMAG7k-G5crZ9kf0bbvQj-nMSrg,3343
 intelmq_extensions/tests/cli/test_intelmqcli.py,sha256=Izy0FHVkj44DCgp4Zm8f1vYTdl5wDyCP1sZV0xgMrgY,5009
 intelmq_extensions/tests/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 intelmq_extensions/tests/lib/base.py,sha256=iD4MuDq0Dh-CqFDgyXf4CfaJgT4AL7XAcNjPGxUlkPM,2560
 intelmq_extensions/tests/lib/test_api_helpers.py,sha256=cO6KNfVjwpYgevyyxxokOAmk7VXo-8T8OCH8hQhf980,3807
-intelmq_extensions-1.8.1.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-intelmq_extensions-1.8.1.dist-info/METADATA,sha256=FjXDB14UgCsC5FRaLxnsnGThgiC6p9k7ztXhi9zop5o,1988
-intelmq_extensions-1.8.1.dist-info/WHEEL,sha256=Nw36Djuh_5VDukK0H78QzOX-_FQEo6V37m3nkm96gtU,91
-intelmq_extensions-1.8.1.dist-info/entry_points.txt,sha256=dW_TN7JbkRT4zV7cJoFGIVzAcuqEL9OA1k7fI9Qtipk,3489
-intelmq_extensions-1.8.1.dist-info/top_level.txt,sha256=YVqZnmAiBfQPNdJPAv64Afvc41p3B24Akx2v2-3BFyc,19
-intelmq_extensions-1.8.1.dist-info/RECORD,,
+intelmq_extensions-1.10.0.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+intelmq_extensions-1.10.0.dist-info/METADATA,sha256=mfhiBm-fykPWoGvl9UGMaiuGdVjbpole3WHd9UG4V7c,2843
+intelmq_extensions-1.10.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+intelmq_extensions-1.10.0.dist-info/entry_points.txt,sha256=ZnDurNdOqqIbPjKHzsmxrczs5aE9d_KLOlz1mQx2C5I,4141
+intelmq_extensions-1.10.0.dist-info/top_level.txt,sha256=YVqZnmAiBfQPNdJPAv64Afvc41p3B24Akx2v2-3BFyc,19
+intelmq_extensions-1.10.0.dist-info/RECORD,,

{intelmq_extensions-1.8.1.dist-info → intelmq_extensions-1.10.0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (80.7.1)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

{intelmq_extensions-1.8.1.dist-info → intelmq_extensions-1.10.0.dist-info}/entry_points.txt

@@ -1,11 +1,13 @@
 [console_scripts]
 intelmq.bots.collectors.certat.blackkite.collector = intelmq_extensions.bots.collectors.blackkite.collector:BOT.run
 intelmq.bots.collectors.certat.disp.collector = intelmq_extensions.bots.collectors.disp.collector:BOT.run
+intelmq.bots.collectors.certat.modat.collector = intelmq_extensions.bots.collectors.modat.collector:BOT.run
 intelmq.bots.collectors.certat.xmpp.collector = intelmq_extensions.bots.collectors.xmpp.collector:BOT.run
 intelmq.bots.experts.certat.certat_contact_intern.expert = intelmq_extensions.bots.experts.certat_contact_intern.expert:BOT.run
 intelmq.bots.experts.certat.copy_extra.expert = intelmq_extensions.bots.experts.copy_extra.expert:BOT.run
 intelmq.bots.experts.certat.event_group_splitter.expert = intelmq_extensions.bots.experts.event_group_splitter.expert:BOT.run
 intelmq.bots.experts.certat.event_splitter.expert = intelmq_extensions.bots.experts.event_splitter.expert:BOT.run
+intelmq.bots.experts.certat.replace_in_dict.expert = intelmq_extensions.bots.experts.replace_in_dict.expert:BOT.run
 intelmq.bots.experts.certat.squelcher.expert = intelmq_extensions.bots.experts.squelcher.expert:BOT.run
 intelmq.bots.experts.certat.vulnerability_lookup.expert = intelmq_extensions.bots.experts.vulnerability_lookup.expert:BOT.run
 intelmq.bots.outputs.certat.mattermost.output = intelmq_extensions.bots.outputs.mattermost.output:BOT.run
@@ -14,13 +16,16 @@ intelmq.bots.outputs.certat.xmpp.output = intelmq_extensions.bots.outputs.xmpp.o
 intelmq.bots.parsers.certat.blackkite.parser = intelmq_extensions.bots.parsers.blackkite.parser:BOT.run
 intelmq.bots.parsers.certat.disp.parser = intelmq_extensions.bots.parsers.disp.parser:BOT.run
 intelmq.bots.parsers.certat.malwaredomains.parser = intelmq_extensions.bots.parsers.malwaredomains.parser:BOT.run
+intelmq.bots.parsers.certat.modat.parser = intelmq_extensions.bots.parsers.modat.parser:BOT.run
 intelmq_extensions.bots.collectors.blackkite.collector = intelmq_extensions.bots.collectors.blackkite.collector:BOT.run
 intelmq_extensions.bots.collectors.disp.collector = intelmq_extensions.bots.collectors.disp.collector:BOT.run
+intelmq_extensions.bots.collectors.modat.collector = intelmq_extensions.bots.collectors.modat.collector:BOT.run
 intelmq_extensions.bots.collectors.xmpp.collector = intelmq_extensions.bots.collectors.xmpp.collector:BOT.run
 intelmq_extensions.bots.experts.certat_contact_intern.expert = intelmq_extensions.bots.experts.certat_contact_intern.expert:BOT.run
 intelmq_extensions.bots.experts.copy_extra.expert = intelmq_extensions.bots.experts.copy_extra.expert:BOT.run
 intelmq_extensions.bots.experts.event_group_splitter.expert = intelmq_extensions.bots.experts.event_group_splitter.expert:BOT.run
 intelmq_extensions.bots.experts.event_splitter.expert = intelmq_extensions.bots.experts.event_splitter.expert:BOT.run
+intelmq_extensions.bots.experts.replace_in_dict.expert = intelmq_extensions.bots.experts.replace_in_dict.expert:BOT.run
 intelmq_extensions.bots.experts.squelcher.expert = intelmq_extensions.bots.experts.squelcher.expert:BOT.run
 intelmq_extensions.bots.experts.vulnerability_lookup.expert = intelmq_extensions.bots.experts.vulnerability_lookup.expert:BOT.run
 intelmq_extensions.bots.outputs.mattermost.output = intelmq_extensions.bots.outputs.mattermost.output:BOT.run
@@ -29,5 +34,6 @@ intelmq_extensions.bots.outputs.xmpp.output = intelmq_extensions.bots.outputs.xm
 intelmq_extensions.bots.parsers.blackkite.parser = intelmq_extensions.bots.parsers.blackkite.parser:BOT.run
 intelmq_extensions.bots.parsers.disp.parser = intelmq_extensions.bots.parsers.disp.parser:BOT.run
 intelmq_extensions.bots.parsers.malwaredomains.parser = intelmq_extensions.bots.parsers.malwaredomains.parser:BOT.run
+intelmq_extensions.bots.parsers.modat.parser = intelmq_extensions.bots.parsers.modat.parser:BOT.run
 intelmqcli = intelmq_extensions.cli.intelmqcli:main
 intelmqcli_create_reports = intelmq_extensions.cli.create_reports:main