misp-modules 3.0.6__tar.gz → 3.0.8__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {misp_modules-3.0.6 → misp_modules-3.0.8}/PKG-INFO +29 -23
- {misp_modules-3.0.6 → misp_modules-3.0.8}/README.md +17 -12
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/__main__.py +1 -1
- misp_modules-3.0.8/misp_modules/modules/expansion/alphaMountain.py +232 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/docx_enrich.py +1 -1
- misp_modules-3.0.8/misp_modules/modules/expansion/email_security_check.py +224 -0
- misp_modules-3.0.8/misp_modules/modules/expansion/greynoise.py +343 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/html_to_markdown.py +39 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/jinja_template_rendering.py +3 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/joesandbox_submit.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ocr_enrich.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ods_enrich.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/odt_enrich.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/pdf_enrich.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/pptx_enrich.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/qrcode.py +1 -2
- misp_modules-3.0.8/misp_modules/modules/expansion/ransomlook.py +196 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/reversinglabs_spectra_analyze.py +10 -1
- misp_modules-3.0.8/misp_modules/modules/expansion/socradar_lookup.py +479 -0
- misp_modules-3.0.8/misp_modules/modules/expansion/ssh_fingerprint.py +156 -0
- misp_modules-3.0.8/misp_modules/modules/expansion/tls_certificate_check.py +185 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/vysion.py +32 -5
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/xlsx_enrich.py +1 -1
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/email_import.py +12 -3
- misp_modules-3.0.8/misp_modules/modules/import_mod/socradar_taxii_feed.py +579 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/taxii21.py +3 -2
- {misp_modules-3.0.6 → misp_modules-3.0.8}/pyproject.toml +16 -16
- misp_modules-3.0.6/misp_modules/modules/expansion/greynoise.py +0 -367
- {misp_modules-3.0.6 → misp_modules-3.0.8}/LICENSE +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/ODTReader/LICENSE +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/ODTReader/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/ODTReader/odtreader.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/ODTReader/win32_unicode_argv.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/_vmray/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/_vmray/parser.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/_vmray/rest_api.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/anyrun_sandbox/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/anyrun_sandbox/config.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/anyrun_sandbox/parser.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/anyrun_sandbox/submitter.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/cof2misp/LICENSE-2.0.txt +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/cof2misp/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/cof2misp/cof.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/dnstrails/LICENSE +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/dnstrails/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/dnstrails/api.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/dnstrails/exception.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/joe_mapping.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/joe_parser.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/lastline_api.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/onyphe/LICENSE +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/onyphe/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/onyphe/client.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/onyphe/exception.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/qintel_helper.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/synonymsToTagNames.json +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/errors.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/helpers/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/helpers/parsers.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/helpers/rules.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/helpers/wrappers.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/importers/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/importers/base.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/_utils/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/_utils/utils.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/export_sentinel.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/mattermost.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/nextcloud_talk.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/slack.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/action_mod/testaction.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_assemblyline_api.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_dnsdb_query/LICENSE +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_dnsdb_query/README.md +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/abuseipdb.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/anyrun_sandbox_submit.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/apiosintds.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/apivoid.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/assemblyline_query.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/assemblyline_submit.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/backscatter_io.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/btc_scam_check.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/btc_steroids.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/censys_enrich.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/circl_passivedns.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/circl_passivessl.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/clamav.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/cluster25_expand.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/convert_markdown_to_pdf.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/countrycode.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/cpe.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/crowdsec.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/crowdstrike_falcon.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/cuckoo_submit.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/cve.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/cve_advanced.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/cytomic_orion.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/dbl_spamhaus.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/dns.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/domaintools.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/eql.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/eupi.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/extract_url_components.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/farsight_passivedns.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/geoip_asn.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/geoip_city.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/geoip_country.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/google_safe_browsing.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/google_threat_intelligence.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/hashdd.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/hashlookup.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/hibp.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/hyasinsight.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/intel471.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/intelmq_eventdb.py.experimental +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ip2locationio.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ipasn.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ipinfo.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/iprep.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/joesandbox_query.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/lastline_query.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/lastline_submit.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/macaddress_io.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/macvendors.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/malshare_upload.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/malwarebazaar.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/mcafee_insights_enrich.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/mmdb_lookup.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/module.py.skeleton +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/module_misp_standard.py.skeleton +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/mwdb.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/onion_lookup.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/onyphe.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/onyphe_full.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/otx.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/passive_ssh.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/passivetotal.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/qintel_qsentry.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/ransomcoindb.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/rapid7_attackerkb.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/rbl.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/recordedfuture.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/reversedns.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/securitytrails.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/shodan.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/sigma_queries.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/sigma_syntax_validator.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/sigmf_expand.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/socialscan.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/sophoslabs_intelix.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/sourcecache.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/stairwell.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/threatcrowd.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/threatfox.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/threatminer.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/triage_submit.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/trustar_enrich.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/urlhaus.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/urlscan.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/validin.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/variotdbs.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/virustotal.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/virustotal_public.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/virustotal_upload.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/vmray_submit.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/vmware_nsx.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/vulndb.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/vulnerability_lookup.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/vulners.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/whois.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/whoisfreaks.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/wiki.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/xforceexchange.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/yara_query.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/yara_syntax_validator.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/expansion/yeti.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/cef_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/defender_endpoint_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/goamlexport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/liteexport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/mass_eql_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/nexthinkexport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/osqueryexport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/pdfexport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/testexport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/threatStream_misp_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/threat_connect_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/virustotal_collections.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/vt_graph.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/export_mod/yara_export.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/__init__.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/anyrun_sandbox_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/cof2misp.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/csvimport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/cuckooimport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/goamlimport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/import_blueprint.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/joe_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/lastline_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/mispjson.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/ocr.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/openiocimport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/testimport.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/threatanalyzer_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/url_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/vmray_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/modules/import_mod/vmray_summary_json_import.py +0 -0
- {misp_modules-3.0.6 → misp_modules-3.0.8}/misp_modules/openapi.py +0 -0
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: misp-modules
|
|
3
|
-
Version: 3.0.
|
|
3
|
+
Version: 3.0.8
|
|
4
4
|
Summary: MISP modules are autonomous modules that can be used for expansion and other services in MISP
|
|
5
5
|
License-Expression: AGPL-3.0-only
|
|
6
6
|
License-File: LICENSE
|
|
7
7
|
Author: Alexandre Dulaunoy
|
|
8
8
|
Author-email: alexandre.dulaunoy@circl.lu
|
|
9
|
-
Requires-Python: >=3.
|
|
9
|
+
Requires-Python: >=3.10,<4.0
|
|
10
10
|
Classifier: License :: OSI Approved :: GNU Affero General Public License v3
|
|
11
11
|
Classifier: Development Status :: 5 - Production/Stable
|
|
12
12
|
Classifier: Environment :: Console
|
|
@@ -15,7 +15,7 @@ Classifier: Programming Language :: Python :: 3
|
|
|
15
15
|
Classifier: Topic :: Security
|
|
16
16
|
Provides-Extra: all
|
|
17
17
|
Provides-Extra: minimal
|
|
18
|
-
Requires-Dist: anyrun-sdk (>=1.10.10,<2.0.0)
|
|
18
|
+
Requires-Dist: anyrun-sdk (>=1.10.10,<2.0.0) ; extra == "all"
|
|
19
19
|
Requires-Dist: apiosintds ; extra == "all"
|
|
20
20
|
Requires-Dist: assemblyline_client ; extra == "all"
|
|
21
21
|
Requires-Dist: backscatter ; extra == "all"
|
|
@@ -27,6 +27,7 @@ Requires-Dist: censys (==2.0.9) ; extra == "all"
|
|
|
27
27
|
Requires-Dist: censys (==2.0.9) ; extra == "minimal"
|
|
28
28
|
Requires-Dist: clamd ; extra == "all"
|
|
29
29
|
Requires-Dist: clamd ; extra == "minimal"
|
|
30
|
+
Requires-Dist: click (==8.1.8)
|
|
30
31
|
Requires-Dist: crowdstrike-falconpy ; extra == "all"
|
|
31
32
|
Requires-Dist: crowdstrike-falconpy ; extra == "minimal"
|
|
32
33
|
Requires-Dist: dnsdb2 ; extra == "all"
|
|
@@ -40,6 +41,8 @@ Requires-Dist: greynoise ; extra == "minimal"
|
|
|
40
41
|
Requires-Dist: jbxapi ; extra == "all"
|
|
41
42
|
Requires-Dist: jbxapi ; extra == "minimal"
|
|
42
43
|
Requires-Dist: jinja2
|
|
44
|
+
Requires-Dist: lief (>=0.17.6) ; extra == "all"
|
|
45
|
+
Requires-Dist: lxml (>=6.1.1) ; extra == "all"
|
|
43
46
|
Requires-Dist: maclookup ; extra == "all"
|
|
44
47
|
Requires-Dist: maclookup ; extra == "minimal"
|
|
45
48
|
Requires-Dist: markdownify
|
|
@@ -47,19 +50,17 @@ Requires-Dist: matplotlib ; extra == "all"
|
|
|
47
50
|
Requires-Dist: matplotlib ; extra == "minimal"
|
|
48
51
|
Requires-Dist: mattermostdriver ; extra == "all"
|
|
49
52
|
Requires-Dist: mattermostdriver ; extra == "minimal"
|
|
50
|
-
Requires-Dist: misp-
|
|
51
|
-
Requires-Dist: misp-stix (>=2025.1.10) ; extra == "all"
|
|
53
|
+
Requires-Dist: misp-stix (>=2026.6.1) ; extra == "all"
|
|
52
54
|
Requires-Dist: mwdblib ; extra == "all"
|
|
53
55
|
Requires-Dist: ndjson ; extra == "all"
|
|
54
56
|
Requires-Dist: ndjson ; extra == "minimal"
|
|
55
|
-
Requires-Dist:
|
|
56
|
-
Requires-Dist: numpy (>=1.26.4,<2.0.0) ; extra == "all"
|
|
57
|
+
Requires-Dist: numpy (>=2.0.0) ; extra == "all"
|
|
57
58
|
Requires-Dist: oauth2 ; extra == "all"
|
|
58
59
|
Requires-Dist: oauth2 ; extra == "minimal"
|
|
59
60
|
Requires-Dist: opencv-python ; extra == "all"
|
|
60
61
|
Requires-Dist: openpyxl ; extra == "all"
|
|
61
|
-
Requires-Dist: orjson
|
|
62
|
-
Requires-Dist: pandas (>=2.0.0) ; extra == "all"
|
|
62
|
+
Requires-Dist: orjson (>=3.11.9)
|
|
63
|
+
Requires-Dist: pandas (>=2.0.0,<3.0.0) ; extra == "all"
|
|
63
64
|
Requires-Dist: pandas_ods_reader (>=1.0.0) ; extra == "all"
|
|
64
65
|
Requires-Dist: pandoc ; extra == "all"
|
|
65
66
|
Requires-Dist: passivetotal ; extra == "all"
|
|
@@ -79,8 +80,8 @@ Requires-Dist: pyintel471 ; extra == "all"
|
|
|
79
80
|
Requires-Dist: pyintel471 ; extra == "minimal"
|
|
80
81
|
Requires-Dist: pyipasnhistory ; extra == "all"
|
|
81
82
|
Requires-Dist: pyipasnhistory ; extra == "minimal"
|
|
82
|
-
Requires-Dist: pymisp
|
|
83
|
-
Requires-Dist: pymisp[email,fileobjects,openioc,pdfexport] ; extra == "all"
|
|
83
|
+
Requires-Dist: pymisp (>=2.5.34.1)
|
|
84
|
+
Requires-Dist: pymisp[email,fileobjects,openioc,pdfexport] (>=2.5.34.1) ; extra == "all"
|
|
84
85
|
Requires-Dist: pypdns ; extra == "all"
|
|
85
86
|
Requires-Dist: pypdns ; extra == "minimal"
|
|
86
87
|
Requires-Dist: pypssl ; extra == "all"
|
|
@@ -135,18 +136,19 @@ Description-Content-Type: text/markdown
|
|
|
135
136
|
|
|
136
137
|
MISP modules are autonomous modules that can be used to extend [MISP](https://github.com/MISP/MISP) for new services such as expansion, import, export and workflow action.
|
|
137
138
|
|
|
138
|
-
MISP modules can be also installed and used without MISP as a [standalone tool accessible via a convenient web interface](./website).
|
|
139
|
+
MISP modules can be also installed and used without [MISP](https://misp-project.org/) as a [standalone tool accessible via a convenient web interface](./website) or using a [cli tool](https://github.com/MISP/misp-modules-cli).
|
|
139
140
|
|
|
140
|
-
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
|
|
141
|
-
without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration and can be used with other tools.
|
|
141
|
+
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration and can be used with other tools. The API is also documented automatically via an OpenAPI end-point or a swagger file.
|
|
142
142
|
|
|
143
143
|
For more information: [Extending MISP with Python modules](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) slides from [MISP training](https://github.com/MISP/misp-training).
|
|
144
144
|
|
|
145
145
|
# Installation
|
|
146
|
+
|
|
146
147
|
Installation instructions can be found in the [installation documentation](https://misp.github.io/misp-modules/install/).
|
|
147
148
|
|
|
148
149
|
# How to add your own MISP modules?
|
|
149
|
-
|
|
150
|
+
|
|
151
|
+
Developing a MISP module yourself is fairly easy. Start with a template or existing module and continue from there.
|
|
150
152
|
More information can be found in the [contribute](https://misp.github.io/misp-modules/contribute/) section of the documentation.
|
|
151
153
|
|
|
152
154
|
# Documentation
|
|
@@ -169,9 +171,9 @@ The specification is generated during service startup, so restart `misp-modules`
|
|
|
169
171
|
## Licenses
|
|
170
172
|
For further Information see the [license file](https://misp.github.io/misp-modules/license/).
|
|
171
173
|
|
|
172
|
-
|
|
174
|
+
## Existing MISP modules
|
|
173
175
|
|
|
174
|
-
|
|
176
|
+
### Expansion Modules
|
|
175
177
|
* [Abuse IPDB](https://misp.github.io/misp-modules/expansion/#abuse-ipdb) - AbuseIPDB MISP expansion module
|
|
176
178
|
* [ANYRUN Sandbox Submit](https://misp.github.io/misp-modules/expansion/#anyrun-sandbox-submit) - A module designed to submit URLs or files to the ANY.RUN Sandbox for analysis and return the unique analysis link and ID.
|
|
177
179
|
* [OSINT DigitalSide](https://misp.github.io/misp-modules/expansion/#osint-digitalside) - On demand query API for OSINT.digitalside.it project.
|
|
@@ -218,7 +220,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
218
220
|
* [IP2Location.io Lookup](https://misp.github.io/misp-modules/expansion/#ip2location.io-lookup) - An expansion module to query IP2Location.io to gather more information on a given IP address.
|
|
219
221
|
* [IPASN-History Lookup](https://misp.github.io/misp-modules/expansion/#ipasn-history-lookup) - Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
|
|
220
222
|
* [IPInfo.io Lookup](https://misp.github.io/misp-modules/expansion/#ipinfo.io-lookup) - An expansion module to query ipinfo.io to gather more information on a given IP address.
|
|
221
|
-
* [IPQualityScore Lookup](https://misp.github.io/misp-modules/expansion/#ipqualityscore-lookup) - IPQualityScore MISP Expansion Module for IP reputation,
|
|
223
|
+
* [IPQualityScore Lookup](https://misp.github.io/misp-modules/expansion/#ipqualityscore-lookup) - IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain,Malicious URL Scanner,Malicious File Scanner & Compromised username, Password, Email
|
|
222
224
|
* [IPRep Lookup](https://misp.github.io/misp-modules/expansion/#iprep-lookup) - Module to query IPRep data for IP addresses.
|
|
223
225
|
* [Ninja Template Rendering](https://misp.github.io/misp-modules/expansion/#ninja-template-rendering) - Render the template with the data passed
|
|
224
226
|
* [Joe Sandbox Import](https://misp.github.io/misp-modules/expansion/#joe-sandbox-import) - Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
|
|
@@ -244,12 +246,13 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
244
246
|
* [PDF Enrich](https://misp.github.io/misp-modules/expansion/#pdf-enrich) - Module to extract freetext from a PDF document.
|
|
245
247
|
* [PPTX Enrich](https://misp.github.io/misp-modules/expansion/#pptx-enrich) - Module to extract freetext from a .pptx document.
|
|
246
248
|
* [Qintel QSentry Lookup](https://misp.github.io/misp-modules/expansion/#qintel-qsentry-lookup) - A hover and expansion module which queries Qintel QSentry for ip reputation data
|
|
247
|
-
* [QR Code Decode](https://misp.github.io/misp-modules/expansion/#qr-code-decode) -
|
|
249
|
+
* [QR Code Decode](https://misp.github.io/misp-modules/expansion/#qr-code-decode) - Decode QR codes from attachments OR remote URLs (Anti-Quishing).
|
|
248
250
|
* [RandomcoinDB Lookup](https://misp.github.io/misp-modules/expansion/#randomcoindb-lookup) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
|
|
249
|
-
* [
|
|
251
|
+
* [Rapid7 AttackerKB lookup](https://misp.github.io/misp-modules/expansion/#rapid7-attackerkb-lookup) - Module to lookup CVE attributes in Rapid7 AttackerKB.
|
|
250
252
|
* [Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
|
|
251
253
|
* [Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
|
|
252
254
|
* [Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
|
|
255
|
+
* [ReversingLabs Spectra Analyze](https://misp.github.io/misp-modules/expansion/#reversinglabs-spectra-analyze) - Threat intelligence enrichment module
|
|
253
256
|
* [SecurityTrails Lookup](https://misp.github.io/misp-modules/expansion/#securitytrails-lookup) - An expansion modules for SecurityTrails.
|
|
254
257
|
* [Shodan Lookup](https://misp.github.io/misp-modules/expansion/#shodan-lookup) - Module to query on Shodan.
|
|
255
258
|
* [Sigma Rule Converter](https://misp.github.io/misp-modules/expansion/#sigma-rule-converter) - An expansion hover module to display the result of sigma queries.
|
|
@@ -267,6 +270,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
267
270
|
* [TruSTAR Enrich](https://misp.github.io/misp-modules/expansion/#trustar-enrich) - Module to get enrich indicators with TruSTAR.
|
|
268
271
|
* [URLhaus Lookup](https://misp.github.io/misp-modules/expansion/#urlhaus-lookup) - Query of the URLhaus API to get additional information about the input attribute.
|
|
269
272
|
* [URLScan Lookup](https://misp.github.io/misp-modules/expansion/#urlscan-lookup) - An expansion module to query urlscan.io.
|
|
273
|
+
* [Validin DNS History](https://misp.github.io/misp-modules/expansion/#validin-dns-history) - Validin internet dataset expansion. Returns dns-records, web crawls, registration (WHOIS) records, and certificates from Validin's historic internet intelligence dataset.
|
|
270
274
|
* [VARIoT db Lookup](https://misp.github.io/misp-modules/expansion/#variot-db-lookup) - An expansion module to query the VARIoT db API for more information about a vulnerability.
|
|
271
275
|
* [VirusTotal v3 Lookup](https://misp.github.io/misp-modules/expansion/#virustotal-v3-lookup) - Enrich observables with the VirusTotal v3 API
|
|
272
276
|
* [VirusTotal Public API Lookup](https://misp.github.io/misp-modules/expansion/#virustotal-public-api-lookup) - Enrich observables with the VirusTotal v3 public API
|
|
@@ -286,7 +290,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
286
290
|
* [YARA Syntax Validator](https://misp.github.io/misp-modules/expansion/#yara-syntax-validator) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
|
|
287
291
|
* [Yeti Lookup](https://misp.github.io/misp-modules/expansion/#yeti-lookup) - Module to process a query on Yeti.
|
|
288
292
|
|
|
289
|
-
|
|
293
|
+
### Export Modules
|
|
290
294
|
* [CEF Export](https://misp.github.io/misp-modules/export_mod/#cef-export) - Module to export a MISP event in CEF format.
|
|
291
295
|
* [Cisco fireSIGHT blockrule Export](https://misp.github.io/misp-modules/export_mod/#cisco-firesight-blockrule-export) - Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
|
|
292
296
|
* [Microsoft Defender for Endpoint KQL Export](https://misp.github.io/misp-modules/export_mod/#microsoft-defender-for-endpoint-kql-export) - Defender for Endpoint KQL hunting query export module
|
|
@@ -303,7 +307,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
303
307
|
* [VirusTotal Graph Export](https://misp.github.io/misp-modules/export_mod/#virustotal-graph-export) - This module is used to create a VirusTotal Graph from a MISP event.
|
|
304
308
|
* [YARA Rule Export](https://misp.github.io/misp-modules/export_mod/#yara-rule-export) - This module is used to export MISP events to YARA.
|
|
305
309
|
|
|
306
|
-
|
|
310
|
+
### Import Modules
|
|
307
311
|
* [ANYRUN Sandbox Import](https://misp.github.io/misp-modules/import_mod/#anyrun-sandbox-import) - A module designed to retrieve an analysis report from the ANY.RUN Sandbox by its unique ID and extract results (such as verdict, malware tags, and IOCs), converting them into MISP attributes within your event.
|
|
308
312
|
* [PDNS COF Importer](https://misp.github.io/misp-modules/import_mod/#pdns-cof-importer) - Passive DNS Common Output Format (COF) MISP importer
|
|
309
313
|
* [CSV Import](https://misp.github.io/misp-modules/import_mod/#csv-import) - Module to import MISP attributes from a csv file.
|
|
@@ -323,7 +327,8 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
323
327
|
* [VMRay API Import](https://misp.github.io/misp-modules/import_mod/#vmray-api-import) - Module to import VMRay (VTI) results.
|
|
324
328
|
* [VMRay Summary JSON Import](https://misp.github.io/misp-modules/import_mod/#vmray-summary-json-import) - Import a VMRay Summary JSON report.
|
|
325
329
|
|
|
326
|
-
|
|
330
|
+
### Action Modules
|
|
331
|
+
* [Export to Sentinel or Defender](https://misp.github.io/misp-modules/action_mod/#export-to-sentinel-or-defender) - Export indicators to Microsoft Sentinel or Microsoft Defender. Requires an existing installation of MISP2Sentinel or MISP2Defender.
|
|
327
332
|
* [Mattermost](https://misp.github.io/misp-modules/action_mod/#mattermost) - Simplistic module to send message to a Mattermost channel.
|
|
328
333
|
* [Nextcloud talk](https://misp.github.io/misp-modules/action_mod/#nextcloud-talk) - Simplistic module to send a message to a Nextcloud talk conversation.
|
|
329
334
|
* [Slack](https://misp.github.io/misp-modules/action_mod/#slack) - Simplistic module to send messages to a Slack channel.
|
|
@@ -331,3 +336,4 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
331
336
|
|
|
332
337
|
|
|
333
338
|
|
|
339
|
+
|
|
@@ -7,18 +7,19 @@
|
|
|
7
7
|
|
|
8
8
|
MISP modules are autonomous modules that can be used to extend [MISP](https://github.com/MISP/MISP) for new services such as expansion, import, export and workflow action.
|
|
9
9
|
|
|
10
|
-
MISP modules can be also installed and used without MISP as a [standalone tool accessible via a convenient web interface](./website).
|
|
10
|
+
MISP modules can be also installed and used without [MISP](https://misp-project.org/) as a [standalone tool accessible via a convenient web interface](./website) or using a [cli tool](https://github.com/MISP/misp-modules-cli).
|
|
11
11
|
|
|
12
|
-
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
|
|
13
|
-
without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration and can be used with other tools.
|
|
12
|
+
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration and can be used with other tools. The API is also documented automatically via an OpenAPI end-point or a swagger file.
|
|
14
13
|
|
|
15
14
|
For more information: [Extending MISP with Python modules](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) slides from [MISP training](https://github.com/MISP/misp-training).
|
|
16
15
|
|
|
17
16
|
# Installation
|
|
17
|
+
|
|
18
18
|
Installation instructions can be found in the [installation documentation](https://misp.github.io/misp-modules/install/).
|
|
19
19
|
|
|
20
20
|
# How to add your own MISP modules?
|
|
21
|
-
|
|
21
|
+
|
|
22
|
+
Developing a MISP module yourself is fairly easy. Start with a template or existing module and continue from there.
|
|
22
23
|
More information can be found in the [contribute](https://misp.github.io/misp-modules/contribute/) section of the documentation.
|
|
23
24
|
|
|
24
25
|
# Documentation
|
|
@@ -41,9 +42,9 @@ The specification is generated during service startup, so restart `misp-modules`
|
|
|
41
42
|
## Licenses
|
|
42
43
|
For further Information see the [license file](https://misp.github.io/misp-modules/license/).
|
|
43
44
|
|
|
44
|
-
|
|
45
|
+
## Existing MISP modules
|
|
45
46
|
|
|
46
|
-
|
|
47
|
+
### Expansion Modules
|
|
47
48
|
* [Abuse IPDB](https://misp.github.io/misp-modules/expansion/#abuse-ipdb) - AbuseIPDB MISP expansion module
|
|
48
49
|
* [ANYRUN Sandbox Submit](https://misp.github.io/misp-modules/expansion/#anyrun-sandbox-submit) - A module designed to submit URLs or files to the ANY.RUN Sandbox for analysis and return the unique analysis link and ID.
|
|
49
50
|
* [OSINT DigitalSide](https://misp.github.io/misp-modules/expansion/#osint-digitalside) - On demand query API for OSINT.digitalside.it project.
|
|
@@ -90,7 +91,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
90
91
|
* [IP2Location.io Lookup](https://misp.github.io/misp-modules/expansion/#ip2location.io-lookup) - An expansion module to query IP2Location.io to gather more information on a given IP address.
|
|
91
92
|
* [IPASN-History Lookup](https://misp.github.io/misp-modules/expansion/#ipasn-history-lookup) - Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).
|
|
92
93
|
* [IPInfo.io Lookup](https://misp.github.io/misp-modules/expansion/#ipinfo.io-lookup) - An expansion module to query ipinfo.io to gather more information on a given IP address.
|
|
93
|
-
* [IPQualityScore Lookup](https://misp.github.io/misp-modules/expansion/#ipqualityscore-lookup) - IPQualityScore MISP Expansion Module for IP reputation,
|
|
94
|
+
* [IPQualityScore Lookup](https://misp.github.io/misp-modules/expansion/#ipqualityscore-lookup) - IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain,Malicious URL Scanner,Malicious File Scanner & Compromised username, Password, Email
|
|
94
95
|
* [IPRep Lookup](https://misp.github.io/misp-modules/expansion/#iprep-lookup) - Module to query IPRep data for IP addresses.
|
|
95
96
|
* [Ninja Template Rendering](https://misp.github.io/misp-modules/expansion/#ninja-template-rendering) - Render the template with the data passed
|
|
96
97
|
* [Joe Sandbox Import](https://misp.github.io/misp-modules/expansion/#joe-sandbox-import) - Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.
|
|
@@ -116,12 +117,13 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
116
117
|
* [PDF Enrich](https://misp.github.io/misp-modules/expansion/#pdf-enrich) - Module to extract freetext from a PDF document.
|
|
117
118
|
* [PPTX Enrich](https://misp.github.io/misp-modules/expansion/#pptx-enrich) - Module to extract freetext from a .pptx document.
|
|
118
119
|
* [Qintel QSentry Lookup](https://misp.github.io/misp-modules/expansion/#qintel-qsentry-lookup) - A hover and expansion module which queries Qintel QSentry for ip reputation data
|
|
119
|
-
* [QR Code Decode](https://misp.github.io/misp-modules/expansion/#qr-code-decode) -
|
|
120
|
+
* [QR Code Decode](https://misp.github.io/misp-modules/expansion/#qr-code-decode) - Decode QR codes from attachments OR remote URLs (Anti-Quishing).
|
|
120
121
|
* [RandomcoinDB Lookup](https://misp.github.io/misp-modules/expansion/#randomcoindb-lookup) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
|
|
121
|
-
* [
|
|
122
|
+
* [Rapid7 AttackerKB lookup](https://misp.github.io/misp-modules/expansion/#rapid7-attackerkb-lookup) - Module to lookup CVE attributes in Rapid7 AttackerKB.
|
|
122
123
|
* [Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
|
|
123
124
|
* [Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
|
|
124
125
|
* [Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
|
|
126
|
+
* [ReversingLabs Spectra Analyze](https://misp.github.io/misp-modules/expansion/#reversinglabs-spectra-analyze) - Threat intelligence enrichment module
|
|
125
127
|
* [SecurityTrails Lookup](https://misp.github.io/misp-modules/expansion/#securitytrails-lookup) - An expansion modules for SecurityTrails.
|
|
126
128
|
* [Shodan Lookup](https://misp.github.io/misp-modules/expansion/#shodan-lookup) - Module to query on Shodan.
|
|
127
129
|
* [Sigma Rule Converter](https://misp.github.io/misp-modules/expansion/#sigma-rule-converter) - An expansion hover module to display the result of sigma queries.
|
|
@@ -139,6 +141,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
139
141
|
* [TruSTAR Enrich](https://misp.github.io/misp-modules/expansion/#trustar-enrich) - Module to get enrich indicators with TruSTAR.
|
|
140
142
|
* [URLhaus Lookup](https://misp.github.io/misp-modules/expansion/#urlhaus-lookup) - Query of the URLhaus API to get additional information about the input attribute.
|
|
141
143
|
* [URLScan Lookup](https://misp.github.io/misp-modules/expansion/#urlscan-lookup) - An expansion module to query urlscan.io.
|
|
144
|
+
* [Validin DNS History](https://misp.github.io/misp-modules/expansion/#validin-dns-history) - Validin internet dataset expansion. Returns dns-records, web crawls, registration (WHOIS) records, and certificates from Validin's historic internet intelligence dataset.
|
|
142
145
|
* [VARIoT db Lookup](https://misp.github.io/misp-modules/expansion/#variot-db-lookup) - An expansion module to query the VARIoT db API for more information about a vulnerability.
|
|
143
146
|
* [VirusTotal v3 Lookup](https://misp.github.io/misp-modules/expansion/#virustotal-v3-lookup) - Enrich observables with the VirusTotal v3 API
|
|
144
147
|
* [VirusTotal Public API Lookup](https://misp.github.io/misp-modules/expansion/#virustotal-public-api-lookup) - Enrich observables with the VirusTotal v3 public API
|
|
@@ -158,7 +161,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
158
161
|
* [YARA Syntax Validator](https://misp.github.io/misp-modules/expansion/#yara-syntax-validator) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
|
|
159
162
|
* [Yeti Lookup](https://misp.github.io/misp-modules/expansion/#yeti-lookup) - Module to process a query on Yeti.
|
|
160
163
|
|
|
161
|
-
|
|
164
|
+
### Export Modules
|
|
162
165
|
* [CEF Export](https://misp.github.io/misp-modules/export_mod/#cef-export) - Module to export a MISP event in CEF format.
|
|
163
166
|
* [Cisco fireSIGHT blockrule Export](https://misp.github.io/misp-modules/export_mod/#cisco-firesight-blockrule-export) - Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.
|
|
164
167
|
* [Microsoft Defender for Endpoint KQL Export](https://misp.github.io/misp-modules/export_mod/#microsoft-defender-for-endpoint-kql-export) - Defender for Endpoint KQL hunting query export module
|
|
@@ -175,7 +178,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
175
178
|
* [VirusTotal Graph Export](https://misp.github.io/misp-modules/export_mod/#virustotal-graph-export) - This module is used to create a VirusTotal Graph from a MISP event.
|
|
176
179
|
* [YARA Rule Export](https://misp.github.io/misp-modules/export_mod/#yara-rule-export) - This module is used to export MISP events to YARA.
|
|
177
180
|
|
|
178
|
-
|
|
181
|
+
### Import Modules
|
|
179
182
|
* [ANYRUN Sandbox Import](https://misp.github.io/misp-modules/import_mod/#anyrun-sandbox-import) - A module designed to retrieve an analysis report from the ANY.RUN Sandbox by its unique ID and extract results (such as verdict, malware tags, and IOCs), converting them into MISP attributes within your event.
|
|
180
183
|
* [PDNS COF Importer](https://misp.github.io/misp-modules/import_mod/#pdns-cof-importer) - Passive DNS Common Output Format (COF) MISP importer
|
|
181
184
|
* [CSV Import](https://misp.github.io/misp-modules/import_mod/#csv-import) - Module to import MISP attributes from a csv file.
|
|
@@ -195,10 +198,12 @@ For further Information see the [license file](https://misp.github.io/misp-modul
|
|
|
195
198
|
* [VMRay API Import](https://misp.github.io/misp-modules/import_mod/#vmray-api-import) - Module to import VMRay (VTI) results.
|
|
196
199
|
* [VMRay Summary JSON Import](https://misp.github.io/misp-modules/import_mod/#vmray-summary-json-import) - Import a VMRay Summary JSON report.
|
|
197
200
|
|
|
198
|
-
|
|
201
|
+
### Action Modules
|
|
202
|
+
* [Export to Sentinel or Defender](https://misp.github.io/misp-modules/action_mod/#export-to-sentinel-or-defender) - Export indicators to Microsoft Sentinel or Microsoft Defender. Requires an existing installation of MISP2Sentinel or MISP2Defender.
|
|
199
203
|
* [Mattermost](https://misp.github.io/misp-modules/action_mod/#mattermost) - Simplistic module to send message to a Mattermost channel.
|
|
200
204
|
* [Nextcloud talk](https://misp.github.io/misp-modules/action_mod/#nextcloud-talk) - Simplistic module to send a message to a Nextcloud talk conversation.
|
|
201
205
|
* [Slack](https://misp.github.io/misp-modules/action_mod/#slack) - Simplistic module to send messages to a Slack channel.
|
|
202
206
|
* [Test action](https://misp.github.io/misp-modules/action_mod/#test-action) - This module is merely a test, always returning true. Triggers on event publishing.
|
|
203
207
|
|
|
204
208
|
|
|
209
|
+
|
|
@@ -0,0 +1,232 @@
|
|
|
1
|
+
import json
|
|
2
|
+
import requests
|
|
3
|
+
|
|
4
|
+
misperrors = {'error': 'Error'}
|
|
5
|
+
mispattributes = {
|
|
6
|
+
'input': ['ip', 'ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'domain', 'hostname', 'url', 'uri', 'link'],
|
|
7
|
+
'output': ['text', 'comment'],
|
|
8
|
+
'format': 'misp_standard',
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
userConfig = {
|
|
12
|
+
"license": {
|
|
13
|
+
"type": "String",
|
|
14
|
+
"errorMessage": "alphaMountain license key is required",
|
|
15
|
+
"message": "Your alphaMountain API license key",
|
|
16
|
+
"required": True,
|
|
17
|
+
},
|
|
18
|
+
"scan_depth": {
|
|
19
|
+
"type": "String",
|
|
20
|
+
"message": "Scan depth: low, medium, or high (default: medium)",
|
|
21
|
+
"default": "medium",
|
|
22
|
+
"required": False,
|
|
23
|
+
},
|
|
24
|
+
"partner_type": {
|
|
25
|
+
"type": "String",
|
|
26
|
+
"message": "Partner type (default: partner.info)",
|
|
27
|
+
"default": "partner.info",
|
|
28
|
+
"required": False,
|
|
29
|
+
},
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
moduleconfig = list(userConfig.keys())
|
|
33
|
+
|
|
34
|
+
moduleinfo = {
|
|
35
|
+
'version': '1.0',
|
|
36
|
+
'author': 'alphaMountain',
|
|
37
|
+
'description': (
|
|
38
|
+
'alphaMountain threat intelligence lookup for IPs, domains, hostnames, and URLs - adds risk score tags'
|
|
39
|
+
),
|
|
40
|
+
'module-type': ['expansion', 'hover'],
|
|
41
|
+
'name': 'alphaMountain_risk',
|
|
42
|
+
'logo': '',
|
|
43
|
+
'requirements': [],
|
|
44
|
+
'features': '',
|
|
45
|
+
'references': [],
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
|
|
49
|
+
def handler(q=False):
|
|
50
|
+
"""Main handler function called by MISP"""
|
|
51
|
+
|
|
52
|
+
if q is False:
|
|
53
|
+
return False
|
|
54
|
+
|
|
55
|
+
try:
|
|
56
|
+
request = json.loads(q)
|
|
57
|
+
except Exception as e:
|
|
58
|
+
return {'error': f'Invalid JSON input: {str(e)}'}
|
|
59
|
+
|
|
60
|
+
if not request.get('config'):
|
|
61
|
+
return {'error': 'Configuration required'}
|
|
62
|
+
|
|
63
|
+
config = request['config']
|
|
64
|
+
if 'license' not in config:
|
|
65
|
+
return {'error': 'License key required in module configuration'}
|
|
66
|
+
|
|
67
|
+
attribute = request.get('attribute')
|
|
68
|
+
if not attribute:
|
|
69
|
+
return {'error': 'No attribute provided'}
|
|
70
|
+
|
|
71
|
+
# Check for required fields for MISP modules
|
|
72
|
+
required_fields = ['type', 'value', 'uuid']
|
|
73
|
+
if not all(field in attribute for field in required_fields):
|
|
74
|
+
return {'error': f'Invalid attribute format, missing fields: {required_fields}'}
|
|
75
|
+
|
|
76
|
+
# Validate attribute type is supported
|
|
77
|
+
if attribute['type'] not in mispattributes['input']:
|
|
78
|
+
return {'error': f'Unsupported attribute type: {attribute["type"]}'}
|
|
79
|
+
|
|
80
|
+
license_key = config['license']
|
|
81
|
+
api_url = 'https://api.alphamountain.ai/threat/uri'
|
|
82
|
+
scan_depth = config.get('scan_depth', 'medium')
|
|
83
|
+
partner_type = config.get('partner_type', 'partner.info')
|
|
84
|
+
|
|
85
|
+
# Map MISP attribute type to alphaMountain API category and extract value
|
|
86
|
+
ioc_value = get_ioc_value(attribute)
|
|
87
|
+
|
|
88
|
+
try:
|
|
89
|
+
threat_data = query_alphamountain_api(api_url, license_key, ioc_value, scan_depth, partner_type)
|
|
90
|
+
|
|
91
|
+
if not threat_data:
|
|
92
|
+
return {'error': 'No data returned from alphaMountain API'}
|
|
93
|
+
|
|
94
|
+
# Create results dictionary - DO NOT include the original attribute
|
|
95
|
+
results = {'Attribute': []}
|
|
96
|
+
|
|
97
|
+
# Process the response and create attributes with tags
|
|
98
|
+
process_threat_response(threat_data, results, attribute)
|
|
99
|
+
|
|
100
|
+
return {'results': results}
|
|
101
|
+
|
|
102
|
+
except requests.RequestException as e:
|
|
103
|
+
return {'error': f'API request failed: {str(e)}'}
|
|
104
|
+
except Exception as e:
|
|
105
|
+
return {'error': f'Processing error: {str(e)}'}
|
|
106
|
+
|
|
107
|
+
|
|
108
|
+
def get_ioc_value(attribute):
|
|
109
|
+
"""Extract IOC value from attribute, handling IPs with ports"""
|
|
110
|
+
attr_type = attribute['type']
|
|
111
|
+
attr_value = attribute['value']
|
|
112
|
+
|
|
113
|
+
# For IP addresses with ports, strip the port (alphaMountain API doesn't support ports)
|
|
114
|
+
if attr_type in ['ip-src|port', 'ip-dst|port']:
|
|
115
|
+
return attr_value.split('|')[0]
|
|
116
|
+
|
|
117
|
+
return attr_value
|
|
118
|
+
|
|
119
|
+
|
|
120
|
+
def query_alphamountain_api(api_url, license_key, ioc_value, scan_depth, partner_type):
|
|
121
|
+
"""Query the alphaMountain API for threat intelligence"""
|
|
122
|
+
|
|
123
|
+
headers = {'Content-Type': 'application/json'}
|
|
124
|
+
payload = {'uri': ioc_value, 'license': license_key, 'version': 1, 'type': partner_type, 'scan_depth': scan_depth}
|
|
125
|
+
|
|
126
|
+
try:
|
|
127
|
+
response = requests.post(api_url, json=payload, headers=headers, timeout=30)
|
|
128
|
+
response.raise_for_status()
|
|
129
|
+
|
|
130
|
+
return response.json()
|
|
131
|
+
|
|
132
|
+
except requests.exceptions.HTTPError as e:
|
|
133
|
+
status = response.status_code if response else "No status"
|
|
134
|
+
body = response.text[:500] if response else "No response body"
|
|
135
|
+
raise ValueError(f"HTTP {status}: {body} - {str(e)}")
|
|
136
|
+
|
|
137
|
+
except requests.exceptions.RequestException as e:
|
|
138
|
+
raise ValueError(f"Request failed: {str(e)}")
|
|
139
|
+
|
|
140
|
+
except Exception as e:
|
|
141
|
+
raise ValueError(f"Unexpected error: {str(e)}")
|
|
142
|
+
|
|
143
|
+
|
|
144
|
+
def process_threat_response(threat_data, results, original_attribute):
|
|
145
|
+
"""Process the API response and apply risk score tag to the original attribute"""
|
|
146
|
+
|
|
147
|
+
# Create tags list - only risk score
|
|
148
|
+
tags = []
|
|
149
|
+
|
|
150
|
+
if not isinstance(threat_data, dict):
|
|
151
|
+
# Add error tag
|
|
152
|
+
tags.append({'name': 'alphaMountain:error', 'colour': '#ff0000'})
|
|
153
|
+
else:
|
|
154
|
+
status = threat_data.get('status', {})
|
|
155
|
+
if status.get('threat') != 'Success':
|
|
156
|
+
tags.append({'name': 'alphaMountain:api-error', 'colour': '#ff0000'})
|
|
157
|
+
else:
|
|
158
|
+
threat_info = threat_data.get('threat', {})
|
|
159
|
+
|
|
160
|
+
if isinstance(threat_info, dict) and threat_info:
|
|
161
|
+
score = threat_info.get('score', 'N/A')
|
|
162
|
+
|
|
163
|
+
# Add risk score tag
|
|
164
|
+
if score != 'N/A':
|
|
165
|
+
try:
|
|
166
|
+
score_float = round(float(score), 2)
|
|
167
|
+
risk_level = get_risk_level(score_float)
|
|
168
|
+
risk_color = get_risk_color(risk_level)
|
|
169
|
+
|
|
170
|
+
# Add specific score tag with full precision
|
|
171
|
+
tags.append({'name': f'alphaMountain:risk-score="{score_float}"', 'colour': risk_color})
|
|
172
|
+
|
|
173
|
+
except (ValueError, TypeError):
|
|
174
|
+
# If score is not a valid number, add a generic tag
|
|
175
|
+
tags.append({'name': 'alphaMountain:risk-score="unknown"', 'colour': '#ffa500'})
|
|
176
|
+
|
|
177
|
+
# If no tags were added, add a no-data tag
|
|
178
|
+
if not tags:
|
|
179
|
+
tags.append({'name': 'alphaMountain:no-data', 'colour': '#ffa500'})
|
|
180
|
+
|
|
181
|
+
# Create enriched attribute with only risk score tag
|
|
182
|
+
enriched_attribute = {
|
|
183
|
+
'type': original_attribute['type'],
|
|
184
|
+
'value': original_attribute['value'],
|
|
185
|
+
'category': original_attribute.get('category', 'Network activity'),
|
|
186
|
+
'to_ids': original_attribute.get('to_ids', False),
|
|
187
|
+
'disable_correlation': original_attribute.get('disable_correlation', False),
|
|
188
|
+
'comment': 'alphaMountain threat intelligence analysis',
|
|
189
|
+
'Tag': tags,
|
|
190
|
+
}
|
|
191
|
+
|
|
192
|
+
results['Attribute'].append(enriched_attribute)
|
|
193
|
+
|
|
194
|
+
|
|
195
|
+
def get_risk_level(score):
|
|
196
|
+
"""Determine risk level based on score"""
|
|
197
|
+
int_score = int(score)
|
|
198
|
+
if int_score >= 8:
|
|
199
|
+
return 'high'
|
|
200
|
+
elif int_score >= 7:
|
|
201
|
+
return 'medium'
|
|
202
|
+
elif int_score >= 6:
|
|
203
|
+
return 'low'
|
|
204
|
+
else:
|
|
205
|
+
return 'minimal'
|
|
206
|
+
|
|
207
|
+
|
|
208
|
+
def get_risk_color(risk_level):
|
|
209
|
+
"""Get color code for risk level"""
|
|
210
|
+
color_map = {
|
|
211
|
+
'high': '#ff0000', # Red
|
|
212
|
+
'medium': '#ffa500', # Orange
|
|
213
|
+
'low': '#ffff00', # Yellow
|
|
214
|
+
'minimal': '#00cc00', # Green
|
|
215
|
+
}
|
|
216
|
+
return color_map.get(risk_level, '#cccccc')
|
|
217
|
+
|
|
218
|
+
|
|
219
|
+
def introspection():
|
|
220
|
+
"""Return module metadata for MISP"""
|
|
221
|
+
modulesetup = {}
|
|
222
|
+
modulesetup['userConfig'] = userConfig
|
|
223
|
+
modulesetup['input'] = mispattributes['input']
|
|
224
|
+
modulesetup['output'] = mispattributes['output']
|
|
225
|
+
modulesetup['format'] = 'misp_standard'
|
|
226
|
+
return modulesetup
|
|
227
|
+
|
|
228
|
+
|
|
229
|
+
def version():
|
|
230
|
+
"""Return module version"""
|
|
231
|
+
moduleinfo['config'] = moduleconfig
|
|
232
|
+
return moduleinfo
|