Contents¶
Overview¶
| docs | |
|---|---|
| package |    |
Imports Alienvault OTX pulses to a MISP instance.
- Free software: Apache 2.0 license
Documentation¶
Alienvault OTX SDK¶
All files in the src/otx_misp/otx directory are Copyright 2015 AlienVault, Inc. and under the Apache 2.0 license.
Usage¶
To use OTX to MISP from the command line:
$ otx-misp --help
otx-misp¶
Downloads OTX pulses and add them to MISP.
usage: otx-misp [-h] [-o OTX] [-s SERVER] [-m MISP] [-t TIMESTAMP] [-c CONFIG]
[-w] [-a] [-u] [-n] [-d] [-v] [--no-tlp] [--discover-tags]
[--to-ids] [--distribution DISTRIBUTION]
[--threat-level THREAT_LEVEL] [--analysis ANALYSIS]
[--author-tag] [--bulk-tag BULK_TAG] [--dedup-titles]
[--stop-on-error]
-
-h,--help¶ show this help message and exit
-
-o<otx>,--otx<otx>¶ Alienvault OTX API key
-
-s<server>,--server<server>¶ MISP server URL
-
-m<misp>,--misp<misp>¶ MISP API key
-
-t<timestamp>,--timestamp<timestamp>¶ Last import as Date/Time ISO format or UNIX timestamp
-
-c<config>,--config-file<config>¶
-
-w,--write-config¶ Write the configuration file
-
-a,--author¶ Add the Pulse author name in the MISP Info field
-
-u,--update-timestamp¶ Updates the timestamp in the configuaration file
-
-n,--no-publish¶ Don’t publish the MISP event
-
-d,--dry-run¶ Fetch the pulses but don’t create MISP events. Use -v[v] to see details.
-
-v,--verbose¶ Verbosity, repeat to increase the verbosity level.
-
--no-tlp¶ No Traffic Light Protocol tag
Discover tags to add to MISP events
-
--to-ids¶ Mark IOCs as exportable to IDS
-
--distribution<distribution>¶ MISP distribution of events (organisation,community,connected,all), default: organisation
-
--threat-level<threat_level>¶ MISP threat level of events (high,medium,low,undefined), default: undefined
-
--analysis<analysis>¶ MISP analysis state of events (initial,ongoing,completed), default: completed
Add the pulse author as an event tag
-
--bulk-tag<bulk_tag>¶ Add a custom tag that will be added to all events (e.g. OTX)
-
--dedup-titles¶ Search MISP for an existing event title and update it, rather than create a new one
-
--stop-on-error¶ Stop import when an exception is raised
To use OTX to MISP in a project:
import otx_misp
Reference¶
otx_misp¶
-
otx_misp.create_events(pulse_or_list, author=False, server=False, key=False, misp=False, distribution=0, threat_level=4, analysis=2, publish=True, tlp=True, discover_tags=False, to_ids=False, author_tag=False, bulk_tag=None, dedup_titles=False, stop_on_error=False)[source]¶ Parse a Pulse or a list of Pulses and add it/them to MISP if server and key are present
Parameters: - pulse_or_list – a Pulse or list of Pulses as returned by get_pulses
- author (Boolean) – Prepend the author to the Pulse name
- server – MISP server URL
- key – MISP API key
- misp (
pymisp.PyMISP) – MISP connection object - distribution – distribution of the MISP event (0-4)
- threat_level – threat level of the MISP object (1-4)
- analysis – analysis stae of the MISP object (0-2)
- publish (Boolean) – Is the MISP event should be published?
- tlp (Boolean) – Add TLP level tag to event
- discover_tags (Boolean) – discover MISP tags from Pulse tags
- to_ids (Boolean) – Flag pulse attributes as being sent to an IDS
- author_tag (Boolean) – Add the pulse author as an event tag
- bulk_tag (String) – A tag that will be added to all events for categorization (e.g. OTX)
- dedup_titles (Boolean) – Search MISP for an existing event title and update it, rather than create a new one
Returns: a dict or a list of dict with the selected attributes
-
otx_misp.get_pulses(otx_api_key, from_timestamp=None)[source]¶ Get the Pulses from Alienvault OTX
Parameters: - otx_api_key (string) – Alienvault OTX API key
- from_timestamp (
datetime.datetimeor ISO string or Unix timestamp) – only download Pulses after this date/time (None for all Pulses)
Returns: a list of Pulses (dict)
-
otx_misp.get_pulses_iter(otx_api_key, from_timestamp=None)[source]¶ Get the Pulses from Alienvault OTX and returns a generator
Parameters: - otx_api_key (string) – Alienvault OTX API key
- from_timestamp (
datetime.datetimeor ISO string or Unix timestamp) – only download Pulses after this date/time (None for all Pulses)
Returns: a generator of Pulses (dict)
Contributing¶
Contributions are welcome, and they are greatly appreciated! Every little bit helps, and credit will always be given.
Bug reports¶
When reporting a bug please include:
- Your operating system name and version.
- Any details about your local setup that might be helpful in troubleshooting.
- Detailed steps to reproduce the bug.
Documentation improvements¶
OTX to MISP could always use more documentation, whether as part of the official OTX to MISP docs, in docstrings, or even on the web in blog posts, articles, and such.
Feature requests and feedback¶
The best way to send feedback is to file an issue at https://github.com/gcrahay/otx_misp/issues.
If you are proposing a feature:
- Explain in detail how it would work.
- Keep the scope as narrow as possible, to make it easier to implement.
- Remember that this is a volunteer-driven project, and that code contributions are welcome :)
Development¶
To set up otx_misp for local development:
Fork otx_misp (look for the “Fork” button).
Clone your fork locally:
git clone git@github.com:your_name_here/otx_misp.git
Create a branch for local development:
git checkout -b name-of-your-bugfix-or-feature
Now you can make your changes locally.
Commit your changes and push your branch to GitHub:
git add . git commit -m "Your detailed description of your changes." git push origin name-of-your-bugfix-or-feature
Submit a pull request through the GitHub website.
Pull Request Guidelines¶
If you need some code review or feedback while you’re developing the code just make the pull request.
For merging, you should:
- Update documentation when there’s new API, functionality etc.
- Add a note to
CHANGELOG.rstabout the changes. - Add yourself to
AUTHORS.rst.
Authors¶
- Gaetan Crahay - https://github.com/gcrahay
- Nick Driver - https://github.com/TheDr1ver
- KALRONG - https://github.com/KALRONG
- obert01 - https://github.com/obert01
Changelog¶
1.4.2 (2018-05-11)¶
- Fix typo in logger name (@TheDr1ver)
- Don’t add already attached tag to events
- Tested with Python 3.5 and MISP 2.4.89
1.4.1 (2017-08-25)¶
- Fix MISP tag name parsing (@KALRONG)
- Use pulse ‘created’ date in MISP event (@obert01)
1.4.0 (2017-08-14)¶
- Add YARA indicator support
1.3.0 (2017-07-04)¶
- Fix dedup function
- Fix TLP tag import
- Don’t stop on import error
- Python 2 support warning
- Tested with Python 3.5, MISP 2.4.[71-76], PyMISP 2.4.71
1.2.1 (2017-03-31)¶
- Fix Python 3 compatibility
1.2.0 (2017-03-31)¶
- Fixes event tagging
- Adds additional tagging options
- Handles empty reference field in OTX pulses
1.1.1 (2017-01-28)¶
- Improve Pulse modified field parsing
1.1 (2016-12-04)¶
- Fix compatibility with PyMISP >= 2.4.53
- Improve Python 3 support
1.0.3 (2016-09-10)¶
- Fix new configuration cloning bug
1.0.2 (2016-09-02)¶
- Fix compatibility issue with Python 2.7.6
1.0.1 (2016-09-01)¶
- Catch exceptions when disabling SSL warnings
1.0.0 (2016-06-21)¶
- First stable version
- Pulse Traffic Light Protocol level added as tag in MISP event
- If the last part of a MISP tag and a Pulse tag are the same, tag the MISP event
- MISP attributes to_ids field
0.3.0 (2016-06-20)¶
- Fix default handling for distribution, threat_level and analysis parameters
- Better performance: Use OTXv2 generator API and remove some delays
0.2.0 (2016-06-14)¶
- Integrate OTXv2 as a subtree.
0.1.0 (2016-06-14)¶
- First release on PyPI.