misp-modules 2.4.196__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (194) hide show
  1. misp_modules/__init__.py +379 -0
  2. misp_modules/helpers/__init__.py +1 -0
  3. misp_modules/helpers/cache.py +84 -0
  4. misp_modules/lib/__init__.py +4 -0
  5. misp_modules/lib/_vmray/__init__.py +0 -0
  6. misp_modules/lib/_vmray/parser.py +1417 -0
  7. misp_modules/lib/_vmray/rest_api.py +148 -0
  8. misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
  9. misp_modules/lib/cof2misp/__init__.py +0 -0
  10. misp_modules/lib/cof2misp/cof.py +165 -0
  11. misp_modules/lib/joe_mapping.py +114 -0
  12. misp_modules/lib/joe_parser.py +573 -0
  13. misp_modules/lib/lastline_api.py +841 -0
  14. misp_modules/lib/qintel_helper.py +263 -0
  15. misp_modules/lib/stix2misp.py +2080 -0
  16. misp_modules/lib/stix2misp_mapping.py +460 -0
  17. misp_modules/lib/synonymsToTagNames.json +1 -0
  18. misp_modules/lib/vt_graph_parser/__init__.py +8 -0
  19. misp_modules/lib/vt_graph_parser/errors.py +20 -0
  20. misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
  21. misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
  22. misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
  23. misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
  24. misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
  25. misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
  26. misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
  27. misp_modules/modules/__init__.py +4 -0
  28. misp_modules/modules/action_mod/__init__.py +1 -0
  29. misp_modules/modules/action_mod/_utils/__init__.py +1 -0
  30. misp_modules/modules/action_mod/_utils/utils.py +70 -0
  31. misp_modules/modules/action_mod/mattermost.py +113 -0
  32. misp_modules/modules/action_mod/slack.py +96 -0
  33. misp_modules/modules/action_mod/testaction.py +68 -0
  34. misp_modules/modules/expansion/__init__.py +36 -0
  35. misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
  36. misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
  37. misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
  38. misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
  39. misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
  40. misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
  41. misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
  42. misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
  43. misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
  44. misp_modules/modules/expansion/abuseipdb.py +146 -0
  45. misp_modules/modules/expansion/apiosintds.py +365 -0
  46. misp_modules/modules/expansion/apivoid.py +133 -0
  47. misp_modules/modules/expansion/assemblyline_query.py +179 -0
  48. misp_modules/modules/expansion/assemblyline_submit.py +100 -0
  49. misp_modules/modules/expansion/backscatter_io.py +84 -0
  50. misp_modules/modules/expansion/btc_scam_check.py +54 -0
  51. misp_modules/modules/expansion/btc_steroids.py +238 -0
  52. misp_modules/modules/expansion/censys_enrich.py +287 -0
  53. misp_modules/modules/expansion/circl_passivedns.py +85 -0
  54. misp_modules/modules/expansion/circl_passivessl.py +113 -0
  55. misp_modules/modules/expansion/clamav.py +129 -0
  56. misp_modules/modules/expansion/cluster25_expand.py +239 -0
  57. misp_modules/modules/expansion/countrycode.py +69 -0
  58. misp_modules/modules/expansion/cpe.py +140 -0
  59. misp_modules/modules/expansion/crowdsec.py +235 -0
  60. misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
  61. misp_modules/modules/expansion/cuckoo_submit.py +161 -0
  62. misp_modules/modules/expansion/cve.py +57 -0
  63. misp_modules/modules/expansion/cve_advanced.py +185 -0
  64. misp_modules/modules/expansion/cytomic_orion.py +196 -0
  65. misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
  66. misp_modules/modules/expansion/dns.py +71 -0
  67. misp_modules/modules/expansion/docx_enrich.py +71 -0
  68. misp_modules/modules/expansion/domaintools.py +290 -0
  69. misp_modules/modules/expansion/eql.py +91 -0
  70. misp_modules/modules/expansion/eupi.py +86 -0
  71. misp_modules/modules/expansion/extract_url_components.py +83 -0
  72. misp_modules/modules/expansion/farsight_passivedns.py +243 -0
  73. misp_modules/modules/expansion/geoip_asn.py +75 -0
  74. misp_modules/modules/expansion/geoip_city.py +75 -0
  75. misp_modules/modules/expansion/geoip_country.py +73 -0
  76. misp_modules/modules/expansion/google_safe_browsing.py +86 -0
  77. misp_modules/modules/expansion/google_search.py +57 -0
  78. misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
  79. misp_modules/modules/expansion/greynoise.py +346 -0
  80. misp_modules/modules/expansion/hashdd.py +53 -0
  81. misp_modules/modules/expansion/hashlookup.py +118 -0
  82. misp_modules/modules/expansion/hibp.py +62 -0
  83. misp_modules/modules/expansion/html_to_markdown.py +63 -0
  84. misp_modules/modules/expansion/hyasinsight.py +881 -0
  85. misp_modules/modules/expansion/intel471.py +73 -0
  86. misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
  87. misp_modules/modules/expansion/ip2locationio.py +90 -0
  88. misp_modules/modules/expansion/ipasn.py +70 -0
  89. misp_modules/modules/expansion/ipinfo.py +112 -0
  90. misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
  91. misp_modules/modules/expansion/iprep.py +98 -0
  92. misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
  93. misp_modules/modules/expansion/joesandbox_query.py +91 -0
  94. misp_modules/modules/expansion/joesandbox_submit.py +147 -0
  95. misp_modules/modules/expansion/lastline_query.py +148 -0
  96. misp_modules/modules/expansion/lastline_submit.py +180 -0
  97. misp_modules/modules/expansion/macaddress_io.py +130 -0
  98. misp_modules/modules/expansion/macvendors.py +55 -0
  99. misp_modules/modules/expansion/malshare_upload.py +107 -0
  100. misp_modules/modules/expansion/malwarebazaar.py +67 -0
  101. misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
  102. misp_modules/modules/expansion/mmdb_lookup.py +138 -0
  103. misp_modules/modules/expansion/module.py.skeleton +44 -0
  104. misp_modules/modules/expansion/mwdb.py +152 -0
  105. misp_modules/modules/expansion/ocr_enrich.py +74 -0
  106. misp_modules/modules/expansion/ods_enrich.py +71 -0
  107. misp_modules/modules/expansion/odt_enrich.py +61 -0
  108. misp_modules/modules/expansion/onyphe.py +243 -0
  109. misp_modules/modules/expansion/onyphe_full.py +387 -0
  110. misp_modules/modules/expansion/otx.py +167 -0
  111. misp_modules/modules/expansion/passive_ssh.py +150 -0
  112. misp_modules/modules/expansion/passivetotal.py +358 -0
  113. misp_modules/modules/expansion/pdf_enrich.py +58 -0
  114. misp_modules/modules/expansion/pptx_enrich.py +65 -0
  115. misp_modules/modules/expansion/qintel_qsentry.py +229 -0
  116. misp_modules/modules/expansion/qrcode.py +99 -0
  117. misp_modules/modules/expansion/ransomcoindb.py +82 -0
  118. misp_modules/modules/expansion/rbl.py +126 -0
  119. misp_modules/modules/expansion/recordedfuture.py +544 -0
  120. misp_modules/modules/expansion/reversedns.py +77 -0
  121. misp_modules/modules/expansion/securitytrails.py +571 -0
  122. misp_modules/modules/expansion/shodan.py +244 -0
  123. misp_modules/modules/expansion/sigma_queries.py +61 -0
  124. misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
  125. misp_modules/modules/expansion/sigmf_expand.py +303 -0
  126. misp_modules/modules/expansion/socialscan.py +108 -0
  127. misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
  128. misp_modules/modules/expansion/sourcecache.py +57 -0
  129. misp_modules/modules/expansion/stairwell.py +156 -0
  130. misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
  131. misp_modules/modules/expansion/threatcrowd.py +170 -0
  132. misp_modules/modules/expansion/threatfox.py +75 -0
  133. misp_modules/modules/expansion/threatminer.py +152 -0
  134. misp_modules/modules/expansion/triage_submit.py +119 -0
  135. misp_modules/modules/expansion/trustar_enrich.py +235 -0
  136. misp_modules/modules/expansion/urlhaus.py +164 -0
  137. misp_modules/modules/expansion/urlscan.py +269 -0
  138. misp_modules/modules/expansion/variotdbs.py +133 -0
  139. misp_modules/modules/expansion/virustotal.py +311 -0
  140. misp_modules/modules/expansion/virustotal_public.py +272 -0
  141. misp_modules/modules/expansion/virustotal_upload.py +91 -0
  142. misp_modules/modules/expansion/vmray_submit.py +161 -0
  143. misp_modules/modules/expansion/vmware_nsx.py +628 -0
  144. misp_modules/modules/expansion/vulndb.py +292 -0
  145. misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
  146. misp_modules/modules/expansion/vulners.py +81 -0
  147. misp_modules/modules/expansion/vysion.py +221 -0
  148. misp_modules/modules/expansion/whois.py +72 -0
  149. misp_modules/modules/expansion/whoisfreaks.py +232 -0
  150. misp_modules/modules/expansion/wiki.py +58 -0
  151. misp_modules/modules/expansion/xforceexchange.py +189 -0
  152. misp_modules/modules/expansion/xlsx_enrich.py +63 -0
  153. misp_modules/modules/expansion/yara_query.py +70 -0
  154. misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
  155. misp_modules/modules/expansion/yeti.py +196 -0
  156. misp_modules/modules/export_mod/__init__.py +3 -0
  157. misp_modules/modules/export_mod/cef_export.py +93 -0
  158. misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
  159. misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
  160. misp_modules/modules/export_mod/goamlexport.py +255 -0
  161. misp_modules/modules/export_mod/liteexport.py +97 -0
  162. misp_modules/modules/export_mod/mass_eql_export.py +106 -0
  163. misp_modules/modules/export_mod/nexthinkexport.py +131 -0
  164. misp_modules/modules/export_mod/osqueryexport.py +125 -0
  165. misp_modules/modules/export_mod/pdfexport.py +107 -0
  166. misp_modules/modules/export_mod/testexport.py +73 -0
  167. misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
  168. misp_modules/modules/export_mod/threat_connect_export.py +125 -0
  169. misp_modules/modules/export_mod/virustotal_collections.py +141 -0
  170. misp_modules/modules/export_mod/vt_graph.py +120 -0
  171. misp_modules/modules/export_mod/yara_export.py +290 -0
  172. misp_modules/modules/import_mod/__init__.py +22 -0
  173. misp_modules/modules/import_mod/cof2misp.py +264 -0
  174. misp_modules/modules/import_mod/csvimport.py +319 -0
  175. misp_modules/modules/import_mod/cuckooimport.py +749 -0
  176. misp_modules/modules/import_mod/email_import.py +294 -0
  177. misp_modules/modules/import_mod/goamlimport.py +188 -0
  178. misp_modules/modules/import_mod/import_blueprint.py +93 -0
  179. misp_modules/modules/import_mod/joe_import.py +74 -0
  180. misp_modules/modules/import_mod/lastline_import.py +160 -0
  181. misp_modules/modules/import_mod/mispjson.py +73 -0
  182. misp_modules/modules/import_mod/ocr.py +122 -0
  183. misp_modules/modules/import_mod/openiocimport.py +99 -0
  184. misp_modules/modules/import_mod/taxii21.py +383 -0
  185. misp_modules/modules/import_mod/testimport.py +73 -0
  186. misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
  187. misp_modules/modules/import_mod/url_import.py +97 -0
  188. misp_modules/modules/import_mod/vmray_import.py +96 -0
  189. misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
  190. misp_modules-2.4.196.dist-info/LICENSE +661 -0
  191. misp_modules-2.4.196.dist-info/METADATA +281 -0
  192. misp_modules-2.4.196.dist-info/RECORD +194 -0
  193. misp_modules-2.4.196.dist-info/WHEEL +4 -0
  194. misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
@@ -0,0 +1,881 @@
1
+ import json
2
+ import logging
3
+ from typing import Dict, List, Any
4
+
5
+ import requests
6
+ import re
7
+ from requests.exceptions import (
8
+ HTTPError,
9
+ ProxyError,
10
+ InvalidURL,
11
+ ConnectTimeout
12
+ )
13
+ from . import check_input_attribute, standard_error_message
14
+ from pymisp import MISPEvent, MISPObject, Distribution
15
+
16
+ ip_query_input_type = [
17
+ 'ip-src',
18
+ 'ip-dst'
19
+ ]
20
+ domain_query_input_type = [
21
+ 'hostname',
22
+ 'domain'
23
+ ]
24
+ email_query_input_type = [
25
+ 'email',
26
+ 'email-src',
27
+ 'email-dst',
28
+ 'target-email',
29
+ 'whois-registrant-email'
30
+ ]
31
+ phone_query_input_type = [
32
+ 'phone-number',
33
+ 'whois-registrant-phone'
34
+ ]
35
+
36
+ md5_query_input_type = [
37
+ 'md5',
38
+ 'x509-fingerprint-md5',
39
+ 'ja3-fingerprint-md5',
40
+ 'hassh-md5',
41
+ 'hasshserver-md5'
42
+ ]
43
+
44
+ sha1_query_input_type = [
45
+ 'sha1',
46
+ 'x509-fingerprint-sha1'
47
+ ]
48
+
49
+ sha256_query_input_type = [
50
+ 'sha256',
51
+ 'x509-fingerprint-sha256'
52
+ ]
53
+
54
+ sha512_query_input_type = [
55
+ 'sha512'
56
+ ]
57
+
58
+ misperrors = {
59
+ 'error': 'Error'
60
+ }
61
+ mispattributes = {
62
+ 'input': ip_query_input_type + domain_query_input_type + email_query_input_type + phone_query_input_type
63
+ + md5_query_input_type + sha1_query_input_type + sha256_query_input_type + sha512_query_input_type,
64
+ 'format': 'misp_standard'
65
+ }
66
+
67
+ moduleinfo = {
68
+ 'version': '0.1',
69
+ 'author': 'Mike Champ',
70
+ 'description': 'HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.',
71
+ 'module-type': ['expansion', 'hover'],
72
+ 'name': 'HYAS Insight Lookup',
73
+ 'logo': 'hyas.png',
74
+ 'requirements': ['A HYAS Insight API Key.'],
75
+ 'features': 'This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.\n The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. \n\nAn API key is required to submit queries to the HYAS Insight API.\n',
76
+ 'references': ['https://www.hyas.com/hyas-insight/'],
77
+ 'input': 'A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)',
78
+ 'output': 'Hyas Insight objects, resulting from the query on the HYAS Insight API.',
79
+ }
80
+ moduleconfig = ['apikey']
81
+ TIMEOUT = 60
82
+ logger = logging.getLogger('hyasinsight')
83
+ logger.setLevel(logging.DEBUG)
84
+ HYAS_API_BASE_URL = 'https://insight.hyas.com/api/ext/'
85
+ WHOIS_CURRENT_BASE_URL = 'https://api.hyas.com/'
86
+ DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value
87
+ IPV4_REGEX = r'\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b([^\/]|$)'
88
+ IPV6_REGEX = r'\b(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:(?:(:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b' # noqa: E501
89
+ # Enrichment Types
90
+ # HYAS API endpoints
91
+ PASSIVE_DNS_ENDPOINT = 'passivedns'
92
+ DYNAMIC_DNS_ENDPOINT = 'dynamicdns'
93
+ PASSIVE_HASH_ENDPOINT = 'passivehash'
94
+ SINKHOLE_ENDPOINT = 'sinkhole'
95
+ SSL_CERTIFICATE_ENDPOINT = 'ssl_certificate'
96
+ DEVICE_GEO_ENDPOINT = 'device_geo'
97
+ WHOIS_HISTORIC_ENDPOINT = 'whois'
98
+ WHOIS_CURRENT_ENDPOINT = 'whois/v1'
99
+ MALWARE_RECORDS_ENDPOINT = 'sample'
100
+ MALWARE_INFORMATION_ENDPOINT = 'sample/information'
101
+ C2ATTRIBUTION_ENDPOINT = 'c2attribution'
102
+ OPEN_SOURCE_INDICATORS_ENDPOINT = 'os_indicators'
103
+
104
+ # HYAS API endpoint params
105
+ DOMAIN_PARAM = 'domain'
106
+ IP_PARAM = 'ip'
107
+ IPV4_PARAM = 'ipv4'
108
+ IPV6_PARAM = 'ipv6'
109
+ EMAIL_PARAM = 'email'
110
+ PHONE_PARAM = 'phone'
111
+ MD5_PARAM = 'md5'
112
+ SHA256_PARAM = 'sha256'
113
+ SHA512_PARAM = 'sha512'
114
+ HASH_PARAM = 'hash'
115
+ SHA1_PARAM = 'sha1'
116
+
117
+ HYAS_IP_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, PASSIVE_DNS_ENDPOINT, PASSIVE_HASH_ENDPOINT,
118
+ SINKHOLE_ENDPOINT,
119
+ SSL_CERTIFICATE_ENDPOINT, DEVICE_GEO_ENDPOINT, C2ATTRIBUTION_ENDPOINT,
120
+ MALWARE_RECORDS_ENDPOINT, OPEN_SOURCE_INDICATORS_ENDPOINT]
121
+ HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST = [PASSIVE_DNS_ENDPOINT, DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT,
122
+ MALWARE_RECORDS_ENDPOINT, WHOIS_CURRENT_ENDPOINT, PASSIVE_HASH_ENDPOINT,
123
+ C2ATTRIBUTION_ENDPOINT, SSL_CERTIFICATE_ENDPOINT,
124
+ OPEN_SOURCE_INDICATORS_ENDPOINT]
125
+ HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, C2ATTRIBUTION_ENDPOINT]
126
+ HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST = [WHOIS_HISTORIC_ENDPOINT]
127
+ HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST = [SSL_CERTIFICATE_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
128
+ OPEN_SOURCE_INDICATORS_ENDPOINT]
129
+ HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST = [C2ATTRIBUTION_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
130
+ OPEN_SOURCE_INDICATORS_ENDPOINT]
131
+ HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_INFORMATION_ENDPOINT]
132
+ HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_RECORDS_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
133
+ OPEN_SOURCE_INDICATORS_ENDPOINT]
134
+
135
+ HYAS_OBJECT_NAMES = {
136
+ DYNAMIC_DNS_ENDPOINT: "Dynamic DNS Information",
137
+ PASSIVE_HASH_ENDPOINT: "Passive Hash Information",
138
+ SINKHOLE_ENDPOINT: "Sinkhole Information",
139
+ SSL_CERTIFICATE_ENDPOINT: "SSL Certificate Information",
140
+ DEVICE_GEO_ENDPOINT: "Mobile Geolocation Information",
141
+ C2ATTRIBUTION_ENDPOINT: "C2 Attribution Information",
142
+ PASSIVE_DNS_ENDPOINT: "Passive DNS Information",
143
+ WHOIS_HISTORIC_ENDPOINT: "Whois Related Information",
144
+ WHOIS_CURRENT_ENDPOINT: "Whois Current Related Information",
145
+ MALWARE_INFORMATION_ENDPOINT: "Malware Sample Information",
146
+ OPEN_SOURCE_INDICATORS_ENDPOINT: "Open Source Intel for malware, ssl certificates and other indicators Information",
147
+ MALWARE_RECORDS_ENDPOINT: "Malware Sample Records Information"
148
+ }
149
+
150
+
151
+ def parse_attribute(comment, feature, value):
152
+ """Generic Method for parsing the attributes in the object"""
153
+ attribute = {
154
+ 'type': 'text',
155
+ 'value': value,
156
+ 'comment': comment,
157
+ 'distribution': DEFAULT_DISTRIBUTION_SETTING,
158
+ 'object_relation': feature
159
+ }
160
+ return attribute
161
+
162
+
163
+ def misp_object(endpoint, attribute_value):
164
+ object_name = HYAS_OBJECT_NAMES[endpoint]
165
+ hyas_object = MISPObject(object_name)
166
+ hyas_object.distribution = DEFAULT_DISTRIBUTION_SETTING
167
+ hyas_object.template_uuid = "d69d3d15-7b4d-49b1-9e0a-bb29f3d421d9"
168
+ hyas_object.template_id = "1"
169
+ hyas_object.description = "HYAS INSIGHT " + object_name
170
+ hyas_object.comment = "HYAS INSIGHT " + object_name + " for " + attribute_value
171
+ setattr(hyas_object, 'meta-category', 'network')
172
+ description = (
173
+ "An object containing the enriched attribute and "
174
+ "related entities from HYAS Insight."
175
+ )
176
+ hyas_object.from_dict(
177
+ **{"meta-category": "misc", "description": description,
178
+ "distribution": DEFAULT_DISTRIBUTION_SETTING}
179
+ )
180
+ return hyas_object
181
+
182
+
183
+ def flatten_json(y: Dict) -> Dict[str, Any]:
184
+ """
185
+ :param y: raw_response from HYAS api
186
+ :return: Flatten json response
187
+ """
188
+ out = {}
189
+
190
+ def flatten(x, name=''):
191
+ # If the Nested key-value
192
+ # pair is of dict type
193
+ if type(x) is dict:
194
+ for a in x:
195
+ flatten(x[a], name + a + '_')
196
+ else:
197
+ out[name[:-1]] = x
198
+
199
+ flatten(y)
200
+ return out
201
+
202
+
203
+ def get_flatten_json_response(raw_api_response: List[Dict]) -> List[Dict]:
204
+ """
205
+ :param raw_api_response: raw_api response from the API
206
+ :return: Flatten Json response
207
+ """
208
+ flatten_json_response = []
209
+ if raw_api_response:
210
+ for obj in raw_api_response:
211
+ flatten_json_response.append(flatten_json(obj))
212
+
213
+ return flatten_json_response
214
+
215
+
216
+ def request_body(query_input, query_param, current):
217
+ """
218
+ This Method returns the request body for specific endpoint.
219
+ """
220
+
221
+ if current:
222
+ return {
223
+ "applied_filters": {
224
+ query_input: query_param,
225
+ "current": True
226
+ }
227
+ }
228
+ else:
229
+ return {
230
+ "applied_filters": {
231
+ query_input: query_param
232
+ }
233
+ }
234
+
235
+
236
+ def malware_info_lookup_to_markdown(results: Dict) -> list:
237
+ scan_results = results.get('scan_results', [])
238
+ out = []
239
+ if scan_results:
240
+ for res in scan_results:
241
+ malware_info_data = {
242
+ "avscan_score": results.get(
243
+ "avscan_score", ''),
244
+ "md5": results.get("md5", ''),
245
+ 'av_name': res.get(
246
+ "av_name", ''),
247
+ 'def_time': res.get(
248
+ "def_time", ''),
249
+ 'threat_found': res.get(
250
+ 'threat_found', ''),
251
+ 'scan_time': results.get("scan_time", ''),
252
+ 'sha1': results.get('sha1', ''),
253
+ 'sha256': results.get('sha256', ''),
254
+ 'sha512': results.get('sha512', '')
255
+ }
256
+ out.append(malware_info_data)
257
+ else:
258
+ malware_info_data = {
259
+ "avscan_score": results.get("avscan_score", ''),
260
+ "md5": results.get("md5", ''),
261
+ 'av_name': '',
262
+ 'def_time': '',
263
+ 'threat_found': '',
264
+ 'scan_time': results.get("scan_time", ''),
265
+ 'sha1': results.get('sha1', ''),
266
+ 'sha256': results.get('sha256', ''),
267
+ 'sha512': results.get('sha512', '')
268
+ }
269
+ out.append(malware_info_data)
270
+ return out
271
+
272
+
273
+ class RequestHandler:
274
+ """A class for handling any outbound requests from this module."""
275
+
276
+ def __init__(self, apikey):
277
+ self.session = requests.Session()
278
+ self.api_key = apikey
279
+
280
+ def get(self, url: str, headers: dict = None, req_body=None) -> requests.Response:
281
+ """General post method to fetch the response from HYAS Insight."""
282
+ response = []
283
+ try:
284
+ response = self.session.post(
285
+ url, headers=headers, json=req_body
286
+ )
287
+ if response:
288
+ response = response.json()
289
+ except (ConnectTimeout, ProxyError, InvalidURL) as error:
290
+ msg = "Error connecting with the HYAS Insight."
291
+ logger.error(f"{msg} Error: {error}")
292
+ misperrors["error"] = msg
293
+ return response
294
+
295
+ def hyas_lookup(self, end_point: str, query_input, query_param, current=False) -> requests.Response:
296
+ """Do a lookup call."""
297
+ # Building the request
298
+ if current:
299
+ url = f'{WHOIS_CURRENT_BASE_URL}{WHOIS_CURRENT_ENDPOINT}'
300
+ else:
301
+ url = f'{HYAS_API_BASE_URL}{end_point}'
302
+ headers = {
303
+ 'Content-type': 'application/json',
304
+ 'X-API-Key': self.api_key,
305
+ 'User-Agent': 'Misp Modules'
306
+ }
307
+ req_body = request_body(query_input, query_param, current)
308
+ try:
309
+ response = self.get(url, headers, req_body)
310
+ except HTTPError as error:
311
+ msg = f"Error when requesting data from HYAS Insight. {error.response}: {error.response.reason}"
312
+ logger.error(msg)
313
+ misperrors["error"] = msg
314
+ raise
315
+ return response
316
+
317
+
318
+ class HyasInsightParser:
319
+ """A class for handling the enrichment objects"""
320
+
321
+ def __init__(self, attribute):
322
+ self.attribute = attribute
323
+ self.misp_event = MISPEvent()
324
+ self.misp_event.add_attribute(**attribute)
325
+
326
+ self.c2_attribution_data_items = [
327
+ 'actor_ipv4',
328
+ 'c2_domain',
329
+ 'c2_ip',
330
+ 'c2_url',
331
+ 'datetime',
332
+ 'email',
333
+ 'email_domain',
334
+ 'referrer_domain',
335
+ 'referrer_ipv4',
336
+ 'referrer_url',
337
+ 'sha256'
338
+ ]
339
+ self.c2_attribution_data_items_friendly_names = {
340
+ 'actor_ipv4': 'Actor IPv4',
341
+ 'c2_domain': 'C2 Domain',
342
+ 'c2_ip': 'C2 IP',
343
+ 'c2_url': 'C2 URL',
344
+ 'datetime': 'DateTime',
345
+ 'email': 'Email',
346
+ 'email_domain': 'Email Domain',
347
+ 'referrer_domain': 'Referrer Domain',
348
+ 'referrer_ipv4': 'Referrer IPv4',
349
+ 'referrer_url': 'Referrer URL',
350
+ 'sha256': 'SHA256'
351
+ }
352
+
353
+ self.device_geo_data_items = [
354
+ 'datetime',
355
+ 'device_user_agent',
356
+ 'geo_country_alpha_2',
357
+ 'geo_horizontal_accuracy',
358
+ 'ipv4',
359
+ 'ipv6',
360
+ 'latitude',
361
+ 'longitude',
362
+ 'wifi_bssid'
363
+ ]
364
+
365
+ self.device_geo_data_items_friendly_names = {
366
+ 'datetime': 'DateTime',
367
+ 'device_user_agent': 'Device User Agent',
368
+ 'geo_country_alpha_2': 'Alpha-2 Code',
369
+ 'geo_horizontal_accuracy': 'GPS Horizontal Accuracy',
370
+ 'ipv4': 'IPv4 Address',
371
+ 'ipv6': 'IPv6 Address',
372
+ 'latitude': 'Latitude',
373
+ 'longitude': 'Longitude',
374
+ 'wifi_bssid': 'WIFI BSSID'
375
+ }
376
+
377
+ self.dynamic_dns_data_items = [
378
+ 'a_record',
379
+ 'account',
380
+ 'created',
381
+ 'created_ip',
382
+ 'domain',
383
+ 'domain_creator_ip',
384
+ 'email',
385
+ ]
386
+
387
+ self.dynamic_dns_data_items_friendly_names = {
388
+ 'a_record': 'A Record',
389
+ 'account': 'Account Holder',
390
+ 'created': 'Created Date',
391
+ 'created_ip': 'Account Holder IP Address',
392
+ 'domain': 'Domain',
393
+ 'domain_creator_ip': 'Domain Creator IP Address',
394
+ 'email': 'Email Address',
395
+ }
396
+
397
+ self.os_indicators_data_items = [
398
+ 'context',
399
+ 'datetime',
400
+ 'domain',
401
+ 'domain_2tld',
402
+ 'first_seen',
403
+ 'ipv4',
404
+ 'ipv6',
405
+ 'last_seen',
406
+ 'md5',
407
+ 'sha1',
408
+ 'sha256',
409
+ 'source_name',
410
+ 'source_url',
411
+ 'url'
412
+ ]
413
+
414
+ self.os_indicators_data_items_friendly_names = {
415
+ 'context': 'Context',
416
+ 'datetime': 'DateTime',
417
+ 'domain': 'Domain',
418
+ 'domain_2tld': 'Domain 2TLD',
419
+ 'first_seen': 'First Seen',
420
+ 'ipv4': 'IPv4 Address',
421
+ 'ipv6': 'IPv6 Address',
422
+ 'last_seen': 'Last Seen',
423
+ 'md5': 'MD5',
424
+ 'sha1': 'SHA1',
425
+ 'sha256': 'SHA256',
426
+ 'source_name': 'Source Name',
427
+ 'source_url': 'Source URL',
428
+ 'url': 'URL'
429
+ }
430
+
431
+ self.passive_dns_data_items = [
432
+ 'cert_name',
433
+ 'count',
434
+ 'domain',
435
+ 'first_seen',
436
+ 'ip_geo_city_name',
437
+ 'ip_geo_country_iso_code',
438
+ 'ip_geo_country_name',
439
+ 'ip_geo_location_latitude',
440
+ 'ip_geo_location_longitude',
441
+ 'ip_geo_postal_code',
442
+ 'ip_ip',
443
+ 'ip_isp_autonomous_system_number',
444
+ 'ip_isp_autonomous_system_organization',
445
+ 'ip_isp_ip_address',
446
+ 'ip_isp_isp',
447
+ 'ip_isp_organization',
448
+ 'ipv4',
449
+ 'ipv6',
450
+ 'last_seen'
451
+ ]
452
+
453
+ self.passive_dns_data_items_friendly_names = {
454
+ 'cert_name': 'Certificate Provider Name',
455
+ 'count': 'Passive DNS Count',
456
+ 'domain': 'Domain',
457
+ 'first_seen': 'First Seen',
458
+ 'ip_geo_city_name': 'IP Organization City',
459
+ 'ip_geo_country_iso_code': 'IP Organization Country ISO Code',
460
+ 'ip_geo_country_name': 'IP Organization Country Name',
461
+ 'ip_geo_location_latitude': 'IP Organization Latitude',
462
+ 'ip_geo_location_longitude': 'IP Organization Longitude',
463
+ 'ip_geo_postal_code': 'IP Organization Postal Code',
464
+ 'ip_ip': 'IP Address',
465
+ 'ip_isp_autonomous_system_number': 'ASN IP',
466
+ 'ip_isp_autonomous_system_organization': 'ASO IP',
467
+ 'ip_isp_ip_address': 'IP Address',
468
+ 'ip_isp_isp': 'ISP',
469
+ 'ip_isp_organization': 'ISP Organization',
470
+ 'ipv4': 'IPv4 Address',
471
+ 'ipv6': 'IPv6 Address',
472
+ 'last_seen': 'Last Seen'
473
+ }
474
+
475
+ self.passive_hash_data_items = [
476
+ 'domain',
477
+ 'md5_count'
478
+ ]
479
+
480
+ self.passive_hash_data_items_friendly_names = {
481
+ 'domain': 'Domain',
482
+ 'md5_count': 'Passive DNS Count'
483
+ }
484
+
485
+ self.malware_records_data_items = [
486
+ 'datetime',
487
+ 'domain',
488
+ 'ipv4',
489
+ 'ipv6',
490
+ 'md5',
491
+ 'sha1',
492
+ 'sha256'
493
+ ]
494
+
495
+ self.malware_records_data_items_friendly_names = {
496
+ 'datetime': 'DateTime',
497
+ 'domain': 'Domain',
498
+ 'ipv4': 'IPv4 Address',
499
+ 'ipv6': 'IPv6 Address',
500
+ 'md5': 'MD5',
501
+ 'sha1': 'SHA1',
502
+ 'sha256': 'SHA256'
503
+ }
504
+
505
+ self.malware_information_data_items = [
506
+ 'avscan_score',
507
+ 'md5',
508
+ 'av_name',
509
+ 'def_time',
510
+ 'threat_found',
511
+ 'scan_time',
512
+ 'sha1',
513
+ 'sha256',
514
+ 'sha512'
515
+ ]
516
+
517
+ self.malware_information_data_items_friendly_names = {
518
+ 'avscan_score': 'AV Scan Score',
519
+ 'md5': 'MD5',
520
+ 'av_name': 'AV Name',
521
+ 'def_time': 'AV DateTime',
522
+ 'threat_found': 'Source',
523
+ 'scan_time': 'Scan DateTime',
524
+ 'sha1': 'SHA1',
525
+ 'sha256': 'SHA256',
526
+ 'sha512': 'SHA512'
527
+ }
528
+
529
+ self.sinkhole_data_items = [
530
+ 'count',
531
+ 'country_name',
532
+ 'country_code',
533
+ 'data_port',
534
+ 'datetime',
535
+ 'ipv4',
536
+ 'last_seen',
537
+ 'organization_name',
538
+ 'sink_source'
539
+ ]
540
+
541
+ self.sinkhole_data_items_friendly_names = {
542
+ 'count': 'Sinkhole Count',
543
+ 'country_name': 'IP Address Country',
544
+ 'country_code': 'IP Address Country Code',
545
+ 'data_port': 'Data Port',
546
+ 'datetime': 'First Seen',
547
+ 'ipv4': 'IP Address',
548
+ 'last_seen': 'Last Seen',
549
+ 'organization_name': 'ISP Organization',
550
+ 'sink_source': 'Sink Source IP'
551
+ }
552
+
553
+ self.ssl_certificate_data_items = [
554
+ 'ip',
555
+ 'ssl_cert_cert_key',
556
+ 'ssl_cert_expire_date',
557
+ 'ssl_cert_issue_date',
558
+ 'ssl_cert_issuer_commonName',
559
+ 'ssl_cert_issuer_countryName',
560
+ 'ssl_cert_issuer_localityName',
561
+ 'ssl_cert_issuer_organizationName',
562
+ 'ssl_cert_issuer_organizationalUnitName',
563
+ 'ssl_cert_issuer_stateOrProvinceName',
564
+ 'ssl_cert_md5',
565
+ 'ssl_cert_serial_number',
566
+ 'ssl_cert_sha1',
567
+ 'ssl_cert_sha_256',
568
+ 'ssl_cert_sig_algo',
569
+ 'ssl_cert_ssl_version',
570
+ 'ssl_cert_subject_commonName',
571
+ 'ssl_cert_subject_countryName',
572
+ 'ssl_cert_subject_localityName',
573
+ 'ssl_cert_subject_organizationName',
574
+ 'ssl_cert_subject_organizationalUnitName',
575
+ 'ssl_cert_timestamp'
576
+ ]
577
+
578
+ self.ssl_certificate_data_items_friendly_names = {
579
+ 'ip': 'IP Address',
580
+ 'ssl_cert_cert_key': 'Certificate Key',
581
+ 'ssl_cert_expire_date': 'Certificate Expiration Date',
582
+ 'ssl_cert_issue_date': 'Certificate Issue Date',
583
+ 'ssl_cert_issuer_commonName': 'Issuer Common Name',
584
+ 'ssl_cert_issuer_countryName': 'Issuer Country Name',
585
+ 'ssl_cert_issuer_localityName': 'Issuer City Name',
586
+ 'ssl_cert_issuer_organizationName': 'Issuer Organization Name',
587
+ 'ssl_cert_issuer_organizationalUnitName': 'Issuer Organization Unit Name',
588
+ 'ssl_cert_issuer_stateOrProvinceName': 'Issuer State or Province Name',
589
+ 'ssl_cert_md5': 'Certificate MD5',
590
+ 'ssl_cert_serial_number': 'Certificate Serial Number',
591
+ 'ssl_cert_sha1': 'Certificate SHA1',
592
+ 'ssl_cert_sha_256': 'Certificate SHA256',
593
+ 'ssl_cert_sig_algo': 'Certificate Signature Algorithm',
594
+ 'ssl_cert_ssl_version': 'SSL Version',
595
+ 'ssl_cert_subject_commonName': 'Reciever Subject Name',
596
+ 'ssl_cert_subject_countryName': 'Receiver Country Name',
597
+ 'ssl_cert_subject_localityName': 'Receiver City Name',
598
+ 'ssl_cert_subject_organizationName': 'Receiver Organization Name',
599
+ 'ssl_cert_subject_organizationalUnitName': 'Receiver Organization Unit Name',
600
+ 'ssl_cert_timestamp': 'Certificate DateTime'
601
+ }
602
+
603
+ self.whois_historic_data_items = [
604
+ 'abuse_emails',
605
+ 'address',
606
+ 'city',
607
+ 'country',
608
+ 'datetime',
609
+ 'domain',
610
+ 'domain_2tld',
611
+ 'domain_created_datetime',
612
+ 'domain_expires_datetime',
613
+ 'domain_updated_datetime',
614
+ 'email',
615
+ 'idn_name',
616
+ 'name',
617
+ 'nameserver',
618
+ 'organization',
619
+ 'phone',
620
+ 'privacy_punch',
621
+ 'registrar'
622
+ ]
623
+
624
+ self.whois_historic_data_items_friendly_names = {
625
+ 'abuse_emails': 'Abuse Emails',
626
+ 'address': 'Address',
627
+ 'city': 'City',
628
+ 'country': 'Country',
629
+ 'datetime': 'Datetime',
630
+ 'domain': 'Domain',
631
+ 'domain_2tld': 'Domain 2tld',
632
+ 'domain_created_datetime': 'Domain Created Time',
633
+ 'domain_expires_datetime': 'Domain Expires Time',
634
+ 'domain_updated_datetime': 'Domain Updated Time',
635
+ 'email': 'Email Address',
636
+ 'idn_name': 'IDN Name',
637
+ 'name': 'Name',
638
+ 'nameserver': 'Nameserver',
639
+ 'organization': 'Organization',
640
+ 'phone': 'Phone Info',
641
+ 'privacy_punch': 'Privacy Punch',
642
+ 'registrar': 'Registrar'
643
+ }
644
+
645
+ self.whois_current_data_items = [
646
+ 'abuse_emails',
647
+ 'address',
648
+ 'city',
649
+ 'country',
650
+ 'datetime',
651
+ 'domain',
652
+ 'domain_2tld',
653
+ 'domain_created_datetime',
654
+ 'domain_expires_datetime',
655
+ 'domain_updated_datetime',
656
+ 'email',
657
+ 'idn_name',
658
+ 'name',
659
+ 'nameserver',
660
+ 'organization',
661
+ 'phone',
662
+ 'privacy_punch',
663
+ 'registrar',
664
+ 'state'
665
+ ]
666
+
667
+ self.whois_current_data_items_friendly_names = {
668
+ 'abuse_emails': 'Abuse Emails',
669
+ 'address': 'Address',
670
+ 'city': 'City',
671
+ 'country': 'Country',
672
+ 'datetime': 'Datetime',
673
+ 'domain': 'Domain',
674
+ 'domain_2tld': 'Domain 2tld',
675
+ 'domain_created_datetime': 'Domain Created Time',
676
+ 'domain_expires_datetime': 'Domain Expires Time',
677
+ 'domain_updated_datetime': 'Domain Updated Time',
678
+ 'email': 'Email Address',
679
+ 'idn_name': 'IDN Name',
680
+ 'name': 'Name',
681
+ 'nameserver': 'Nameserver',
682
+ 'organization': 'Organization',
683
+ 'phone': 'Phone',
684
+ 'privacy_punch': 'Privacy Punch',
685
+ 'registrar': 'Registrar',
686
+ 'state': 'State'
687
+ }
688
+
689
+ def create_misp_attributes_and_objects(self, response, endpoint, attribute_value):
690
+ flatten_json_response = get_flatten_json_response(response)
691
+ data_items: List[str] = []
692
+ data_items_friendly_names: Dict[str, str] = {}
693
+ if endpoint == DEVICE_GEO_ENDPOINT:
694
+ data_items: List[str] = self.device_geo_data_items
695
+ data_items_friendly_names: Dict[str, str] = self.device_geo_data_items_friendly_names
696
+ elif endpoint == DYNAMIC_DNS_ENDPOINT:
697
+ data_items: List[str] = self.dynamic_dns_data_items
698
+ data_items_friendly_names: Dict[str, str] = self.dynamic_dns_data_items_friendly_names
699
+ elif endpoint == PASSIVE_DNS_ENDPOINT:
700
+ data_items: List[str] = self.passive_dns_data_items
701
+ data_items_friendly_names: Dict[str, str] = self.passive_dns_data_items_friendly_names
702
+ elif endpoint == PASSIVE_HASH_ENDPOINT:
703
+ data_items: List[str] = self.passive_hash_data_items
704
+ data_items_friendly_names: Dict[str, str] = self.passive_hash_data_items_friendly_names
705
+ elif endpoint == SINKHOLE_ENDPOINT:
706
+ data_items: List[str] = self.sinkhole_data_items
707
+ data_items_friendly_names: Dict[str, str] = self.sinkhole_data_items_friendly_names
708
+ elif endpoint == WHOIS_HISTORIC_ENDPOINT:
709
+ data_items = self.whois_historic_data_items
710
+ data_items_friendly_names = self.whois_historic_data_items_friendly_names
711
+ elif endpoint == WHOIS_CURRENT_ENDPOINT:
712
+ data_items: List[str] = self.whois_current_data_items
713
+ data_items_friendly_names: Dict[str, str] = self.whois_current_data_items_friendly_names
714
+ elif endpoint == SSL_CERTIFICATE_ENDPOINT:
715
+ data_items: List[str] = self.ssl_certificate_data_items
716
+ data_items_friendly_names: Dict[str, str] = self.ssl_certificate_data_items_friendly_names
717
+ elif endpoint == MALWARE_INFORMATION_ENDPOINT:
718
+ data_items: List[str] = self.malware_information_data_items
719
+ data_items_friendly_names = self.malware_information_data_items_friendly_names
720
+ elif endpoint == MALWARE_RECORDS_ENDPOINT:
721
+ data_items: List[str] = self.malware_records_data_items
722
+ data_items_friendly_names = self.malware_records_data_items_friendly_names
723
+ elif endpoint == OPEN_SOURCE_INDICATORS_ENDPOINT:
724
+ data_items: List[str] = self.os_indicators_data_items
725
+ data_items_friendly_names = self.os_indicators_data_items_friendly_names
726
+ elif endpoint == C2ATTRIBUTION_ENDPOINT:
727
+ data_items: List[str] = self.c2_attribution_data_items
728
+ data_items_friendly_names = self.c2_attribution_data_items_friendly_names
729
+
730
+ for result in flatten_json_response:
731
+ hyas_object = misp_object(endpoint, attribute_value)
732
+ for data_item in result.keys():
733
+ if data_item in data_items:
734
+ data_item_text = data_items_friendly_names[data_item]
735
+ data_item_value = str(result[data_item])
736
+ hyas_object.add_attribute(
737
+ **parse_attribute(hyas_object.comment, data_item_text, data_item_value))
738
+ hyas_object.add_reference(self.attribute['uuid'], 'related-to')
739
+ self.misp_event.add_object(hyas_object)
740
+
741
+ def get_results(self):
742
+ """returns the dictionary object to MISP Instance"""
743
+ event = json.loads(self.misp_event.to_json())
744
+ results = {key: event[key] for key in ('Attribute', 'Object')}
745
+ return {'results': results}
746
+
747
+
748
+ def handler(q=False):
749
+ """The function which accepts a JSON document to expand the values and return a dictionary of the expanded
750
+ values. """
751
+ if q is False:
752
+ return False
753
+ request = json.loads(q)
754
+ # check if the apikey is provided
755
+ if not request.get('config') or not request['config'].get('apikey'):
756
+ misperrors['error'] = 'HYAS Insight apikey is missing'
757
+ return misperrors
758
+ apikey = request['config'].get('apikey')
759
+ # check attribute is added to the event
760
+ if not request.get('attribute') or not check_input_attribute(request['attribute']):
761
+ return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
762
+
763
+ attribute = request['attribute']
764
+ attribute_type = attribute['type']
765
+ attribute_value = attribute['value']
766
+
767
+ # check if the attribute type is supported by IPQualityScore
768
+ if attribute_type not in mispattributes['input']:
769
+ return {'error': 'Unsupported attributes type for HYAS Insight Enrichment'}
770
+ request_handler = RequestHandler(apikey)
771
+ parser = HyasInsightParser(attribute)
772
+ has_results = False
773
+ if attribute_type in ip_query_input_type:
774
+ ip_param = ''
775
+ for endpoint in HYAS_IP_ENRICHMENT_ENDPOINTS_LIST:
776
+ if endpoint == DEVICE_GEO_ENDPOINT:
777
+ if re.match(IPV4_REGEX, attribute_value):
778
+ ip_param = IPV4_PARAM
779
+ elif re.match(IPV6_REGEX, attribute_value):
780
+ ip_param = IPV6_PARAM
781
+ elif endpoint == PASSIVE_HASH_ENDPOINT:
782
+ ip_param = IPV4_PARAM
783
+ elif endpoint == SINKHOLE_ENDPOINT:
784
+ ip_param = IPV4_PARAM
785
+ elif endpoint == MALWARE_RECORDS_ENDPOINT:
786
+ ip_param = IPV4_PARAM
787
+ else:
788
+ ip_param = IP_PARAM
789
+ enrich_response = request_handler.hyas_lookup(endpoint, ip_param, attribute_value)
790
+ if endpoint == SSL_CERTIFICATE_ENDPOINT:
791
+ enrich_response = enrich_response.get('ssl_certs')
792
+ if enrich_response:
793
+ has_results = True
794
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
795
+ elif attribute_type in domain_query_input_type:
796
+ for endpoint in HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST:
797
+ if not endpoint == WHOIS_CURRENT_ENDPOINT:
798
+ enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value)
799
+ else:
800
+ enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value,
801
+ endpoint == WHOIS_CURRENT_ENDPOINT)
802
+ enrich_response = enrich_response.get('items')
803
+ if enrich_response:
804
+ has_results = True
805
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
806
+ elif attribute_type in email_query_input_type:
807
+ for endpoint in HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST:
808
+ enrich_response = request_handler.hyas_lookup(endpoint, EMAIL_PARAM, attribute_value)
809
+ if enrich_response:
810
+ has_results = True
811
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
812
+ elif attribute_type in phone_query_input_type:
813
+ for endpoint in HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST:
814
+ enrich_response = request_handler.hyas_lookup(endpoint, PHONE_PARAM, attribute_value)
815
+ if enrich_response:
816
+ has_results = True
817
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
818
+ elif attribute_type in md5_query_input_type:
819
+ md5_param = MD5_PARAM
820
+ for endpoint in HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST:
821
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
822
+ md5_param = HASH_PARAM
823
+ enrich_response = request_handler.hyas_lookup(endpoint, md5_param, attribute_value)
824
+ if enrich_response:
825
+ has_results = True
826
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
827
+ enrich_response = malware_info_lookup_to_markdown(enrich_response)
828
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
829
+ elif attribute_type in sha1_query_input_type:
830
+ sha1_param = SHA1_PARAM
831
+ for endpoint in HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST:
832
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
833
+ sha1_param = HASH_PARAM
834
+ elif endpoint == SSL_CERTIFICATE_ENDPOINT:
835
+ sha1_param = HASH_PARAM
836
+ enrich_response = request_handler.hyas_lookup(endpoint, sha1_param, attribute_value)
837
+
838
+ if enrich_response:
839
+ has_results = True
840
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
841
+ enrich_response = malware_info_lookup_to_markdown(enrich_response)
842
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
843
+ elif attribute_type in sha256_query_input_type:
844
+ sha256_param = SHA256_PARAM
845
+ for endpoint in HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST:
846
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
847
+ sha256_param = HASH_PARAM
848
+ enrich_response = request_handler.hyas_lookup(endpoint, sha256_param, attribute_value)
849
+ if enrich_response:
850
+ has_results = True
851
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
852
+ enrich_response = malware_info_lookup_to_markdown(enrich_response)
853
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
854
+ elif attribute_type in sha512_query_input_type:
855
+ sha512_param = ''
856
+ for endpoint in HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST:
857
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
858
+ sha512_param = HASH_PARAM
859
+ enrich_response = request_handler.hyas_lookup(endpoint, sha512_param, attribute_value)
860
+ if enrich_response:
861
+ has_results = True
862
+ if endpoint == MALWARE_INFORMATION_ENDPOINT:
863
+ enrich_response = malware_info_lookup_to_markdown(enrich_response)
864
+ parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
865
+
866
+ if has_results:
867
+ return parser.get_results()
868
+ else:
869
+ return {'error': 'No records found in HYAS Insight for the provided attribute.'}
870
+
871
+
872
+ def introspection():
873
+ """The function that returns a dict of the supported attributes (input and output) by your expansion module."""
874
+ return mispattributes
875
+
876
+
877
+ def version():
878
+ """The function that returns a dict with the version and the associated meta-data including potential
879
+ configurations required of the module. """
880
+ moduleinfo['config'] = moduleconfig
881
+ return moduleinfo