intelmq.bots.outputs.misp package

Submodules

intelmq.bots.outputs.misp.output_api module

Connect to a MISP instance and add event as MISPObject if not there already.

SPDX-FileCopyrightText: 2020 Intevation GmbH <https://intevation.de> SPDX-License-Identifier: AGPL-3.0-or-later

Funding: of initial version by SUNET Author(s):

A shortened copy of this documentation is kept at docs/user/bots.rst, please keep it current, when changing something.

param - add_feed_provider_as_tag

bool (use true when in doubt)

param - add_feed_name_as_as_tag

bool (use true when in doubt)

param - misp_additional_correlation_fields

list of fields for which the correlation flags will be enabled (in addition to those which are in significant_fields)

param - misp_additional_tags

list of tags to set not be searched for when looking for duplicates

param - misp_key

str, API key for accessing MISP

param - misp_publish

bool, if a new MISP event should be set to “publish”. Expert setting as MISP may really make it “public”! (Use false when in doubt.)

param - misp_tag_for_bot

str, used to mark MISP events

param - misp_to_ids_fields

list of fields for which the to_ids flags will be set

param - misp_url

str, URL of the MISP server

param - significant_fields

list of intelmq field names

The significant_fields values will be searched for in all MISP attribute values and if all values are found in the one MISP event, no new MISP event will be created. (The reason that all values are matched without considering the attribute type is a technical limitation of the search functionality exposed by the MISP/pymisp 2.4.120 API.) Instead if the existing MISP events have the same feed.provider and match closely, their timestamp will be updated.

If a new MISP event is inserted the significant_fields and the misp_additional_correlation_fields will be the attributes where correlation is enabled.

Make sure to build the IntelMQ Botnet in a way the rate of incoming events is what MISP can handle, as IntelMQ can process many more events faster than MISP (which is by design as MISP is for manual handling). Also remove the fields of the IntelMQ events with an expert bot that you do not want to be inserted into MISP.

Example (of some parameters in JSON):

"add_feed_provider_as_tag": true,
"add_feed_name_as_tag": true,
"misp_additional_correlation_fields": ["source.asn"],
"misp_additional_tags": ["OSINT", "osint:certainty=="90""],
"misp_publish": false,
"misp_to_ids_fields": ["source.fqdn", "source.reverse_dns"],
"significant_fields": ["source.fqdn", "source.reverse_dns"],

Originally developed with pymisp v2.4.120 (which needs python v>=3.6).

intelmq.bots.outputs.misp.output_api.BOT

alias of intelmq.bots.outputs.misp.output_api.MISPAPIOutputBot

class intelmq.bots.outputs.misp.output_api.MISPAPIOutputBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.OutputBot

Insert events into a MISP instance

IntelMQ-Bot-Name: MISP API

_insert_misp_event(intelmq_event)

Insert a new MISPEvent.

_update_misp_event(misp_event, intelmq_event)

Update timestamp on a found MISPEvent if it matches closely.

add_feed_name_as_tag: bool = True
add_feed_provider_as_tag: bool = True
static check(parameters)

The bot’s own check function can perform individual checks on it’s parameters. init() is not called before, this is a staticmethod which does not require class initialization.

Parameters

parameters – Bot’s parameters, defaults and runtime merged together

Returns

None or a list of [log_level, log_message] pairs, both

strings. log_level must be a valid log level.

Return type

output

init()
misp_additional_correlation_fields = []
misp_additional_tags = []
misp_key: str = None
misp_publish: bool = False
misp_tag_for_bot: str = None
misp_to_ids_fields = []
misp_url: str = None
process()
significant_fields: list = []

intelmq.bots.outputs.misp.output_feed module

intelmq.bots.outputs.misp.output_feed.BOT

alias of intelmq.bots.outputs.misp.output_feed.MISPFeedOutputBot

class intelmq.bots.outputs.misp.output_feed.MISPFeedOutputBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.OutputBot

Generate an output in the MISP Feed format

static check(parameters)

The bot’s own check function can perform individual checks on it’s parameters. init() is not called before, this is a staticmethod which does not require class initialization.

Parameters

parameters – Bot’s parameters, defaults and runtime merged together

Returns

None or a list of [log_level, log_message] pairs, both

strings. log_level must be a valid log level.

Return type

output

static check_output_dir(dirname)
init()
interval_event: str = '1 hour'
misp_org_name = None
misp_org_uuid = None
output_dir: str = '/opt/intelmq/var/lib/bots/mispfeed-output'
process()

Module contents