intelmq.bots.outputs.misp package¶

Submodules¶

intelmq.bots.outputs.misp.output_api module¶

Connect to a MISP instance and add event as MISPObject if not there already.

SPDX-FileCopyrightText: 2020 Intevation GmbH <https://intevation.de> SPDX-License-Identifier: AGPL-3.0-or-later

Funding: of initial version by SUNET Author(s): * Bernhard Reiter <bernhard@intevation.de>

A shortened copy of this documentation is kept at docs/user/bots.rst, please keep it current, when changing something.

param - add_feed_provider_as_tag:: bool (use true when in doubt)
param - add_feed_name_as_as_tag:: bool (use true when in doubt)
param - misp_additional_correlation_fields:: list of fields for which the correlation flags will be enabled (in addition to those which are in significant_fields)
param - misp_additional_tags:: list of tags to set not be searched for when looking for duplicates
param - misp_key:: str, API key for accessing MISP
param - misp_publish:: bool, if a new MISP event should be set to “publish”. Expert setting as MISP may really make it “public”! (Use false when in doubt.)
param - misp_tag_for_bot:: str, used to mark MISP events
param - misp_to_ids_fields:: list of fields for which the to_ids flags will be set
param - misp_url:: str, URL of the MISP server
param - significant_fields:: list of intelmq field names

The significant_fields values will be searched for in all MISP attribute values and if all values are found in the one MISP event, no new MISP event will be created. (The reason that all values are matched without considering the attribute type is a technical limitation of the search functionality exposed by the MISP/pymisp 2.4.120 API.) Instead if the existing MISP events have the same feed.provider and match closely, their timestamp will be updated.

If a new MISP event is inserted the significant_fields and the misp_additional_correlation_fields will be the attributes where correlation is enabled.

Make sure to build the IntelMQ Botnet in a way the rate of incoming events is what MISP can handle, as IntelMQ can process many more events faster than MISP (which is by design as MISP is for manual handling). Also remove the fields of the IntelMQ events with an expert bot that you do not want to be inserted into MISP.

Example (of some parameters in JSON):

"add_feed_provider_as_tag": true,
"add_feed_name_as_tag": true,
"misp_additional_correlation_fields": ["source.asn"],
"misp_additional_tags": ["OSINT", "osint:certainty=="90""],
"misp_publish": false,
"misp_to_ids_fields": ["source.fqdn", "source.reverse_dns"],
"significant_fields": ["source.fqdn", "source.reverse_dns"],

Originally developed with pymisp v2.4.120 (which needs python v>=3.6).

intelmq.bots.outputs.misp.output_api.BOT¶: alias of MISPAPIOutputBot

class intelmq.bots.outputs.misp.output_api.MISPAPIOutputBot(*args, **kwargs)¶

Bases: OutputBot

Insert events into a MISP instance

IntelMQ-Bot-Name: MISP API

_insert_misp_event(intelmq_event)¶: Insert a new MISPEvent.

_update_misp_event(misp_event, intelmq_event)¶: Update timestamp on a found MISPEvent if it matches closely.

add_feed_name_as_tag: bool = True¶

add_feed_provider_as_tag: bool = True¶

static check(parameters)¶

The bot’s own check function can perform individual checks on it’s parameters. init() is not called before, this is a staticmethod which does not require class initialization.

Parameters:

parameters – Bot’s parameters, defaults and runtime merged together

Returns:

None or a list of [log_level, log_message] pairs, both: strings. log_level must be a valid log level.

Return type:

output

init()¶

misp_additional_correlation_fields = []¶

misp_additional_tags = []¶

misp_key: str = None¶

misp_publish: bool = False¶

misp_tag_for_bot: str = None¶

misp_to_ids_fields = []¶

misp_url: str = None¶

process()¶

significant_fields: list = []¶

intelmq.bots.outputs.misp.output_feed module¶

intelmq.bots.outputs.misp.output_feed.BOT¶: alias of MISPFeedOutputBot

class intelmq.bots.outputs.misp.output_feed.MISPFeedOutputBot(*args, **kwargs)¶