From 03c8a837fe8b2af255e10d77f149f7f95b9e21c9 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 1 Mar 2024 15:34:49 +0100
Subject: [PATCH 01/69] add invest for one event
---
core/common/misp_to_yeti.py | 29 ++++++++++++++++-------------
core/web/apiv2/import_data.py | 13 +++++++++----
2 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 4fde79074..eb1b3600b 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,4 +1,4 @@
-from core.schemas import observable
+from core.schemas import entity, observable
MISP_TYPES_TO_IMPORT = {
"domain": observable.ObservableType.hostname,
@@ -26,42 +26,45 @@ class MispToYeti:
def __init__(self, misp_event):
self.misp_event = misp_event
- def attr_misp_to_yeti(self, attribute: dict) -> observable.Observable:
+ def attr_misp_to_yeti(
+ self, invest: entity.Investigation, attribute: dict
+ ) -> observable.Observable: # type: ignore
if attribute.get("type") in MISP_TYPES_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
- MISP_TYPES_TO_IMPORT[attribute.get("type")]
+ MISP_TYPES_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
def add_context_by_misp(
self, attribute_misp: dict, event: dict, obs_yeti: observable.Observable
- ) -> dict:
+ ):
context = {}
event_id = attribute_misp.get("event_id")
- context["Org"] = event.get("Org")["name"]
+ context["Org"] = event["Org"]["name"]
context["event_id"] = event_id
if attribute_misp.get("comment"):
context["comment"] = attribute_misp.get("comment")
obs_yeti.add_context("misp", context)
- def obs_misp_to_yeti(self, object_misp: dict):
- objs_type = object_misp.get("type")
+ def obs_misp_to_yeti(self,invest: entity.Investigation, object_misp: dict):
+ objs_type = object_misp["type"]
links = []
- for attr in object_misp.get("Attribute"):
- obs_yeti = self.attr_misp_to_yeti(attr)
+ for attr in object_misp["Attribute"]:
+ obs_yeti = self.attr_misp_to_yeti(invest,attr)
links.append(obs_yeti)
obs_yeti = links.pop()
for obj_to_link in links:
obs_yeti.link_to(obj_to_link, f"linked_by_misp_{objs_type}", "misp")
def misp_to_yeti(self):
- for object_misp in self.misp_event.get("Object"):
- self.obs_misp_to_yeti(object_misp)
+ invest = entity.Investigation(name=self.misp_event.get("info")).save()
+ for object_misp in self.misp_event["Object"]:
+ self.obs_misp_to_yeti(invest,object_misp)
- for attribute_misp in self.misp_event.get("Attribute"):
- obs_yeti = self.attr_misp_to_yeti(attribute_misp)
+ for attribute_misp in self.misp_event["Attribute"]:
+ obs_yeti = self.attr_misp_to_yeti(invest,attribute_misp)
if obs_yeti:
self.add_context_by_misp(attribute_misp, self.misp_event, obs_yeti)
else:
diff --git a/core/web/apiv2/import_data.py b/core/web/apiv2/import_data.py
index 03f14298d..1bb09be3b 100644
--- a/core/web/apiv2/import_data.py
+++ b/core/web/apiv2/import_data.py
@@ -1,13 +1,18 @@
+
+import json
+
from fastapi import APIRouter, File, UploadFile
+from core.common.misp_to_yeti import MispToYeti
+
router = APIRouter()
@router.post("/import_misp_json", tags=["import_misp_json"])
async def import_misp_json(misp_file_json: UploadFile = File(...)):
- # contents = await misp_file_json.read()
- # data_json = json.loads(contents)
+ contents = await misp_file_json.read()
+ data_json = json.loads(contents)
- # converter = MispToYeti(data_json["Event"])
- # converter.misp_to_yeti()
+ converter = MispToYeti(data_json["Event"])
+ converter.misp_to_yeti()
return {"status": True}
From 5f4b27cc19c87f8b5469a6ff150ce67e710b1e99 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 1 Mar 2024 16:37:10 +0100
Subject: [PATCH 02/69] add asn object
---
core/common/misp_to_yeti.py | 61 +++++++++++++++++++++++++++++--------
1 file changed, 48 insertions(+), 13 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index eb1b3600b..5db8e51ff 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,6 +1,8 @@
+import logging
+
from core.schemas import entity, observable
-MISP_TYPES_TO_IMPORT = {
+MISP_Attribute_TO_IMPORT = {
"domain": observable.ObservableType.hostname,
"hostname": observable.ObservableType.hostname,
"ip-dst": observable.ObservableType.ipv4,
@@ -19,20 +21,25 @@
"email": observable.ObservableType.email,
"filename": observable.ObservableType.file,
"regkey": observable.ObservableType.registry_key,
+ "asn": observable.ObservableType.asn,
}
-
class MispToYeti:
+
def __init__(self, misp_event):
self.misp_event = misp_event
+ self.func_by_type = {
+ "asn": self.__import_asn_object,
+ }
def attr_misp_to_yeti(
self, invest: entity.Investigation, attribute: dict
) -> observable.Observable: # type: ignore
- if attribute.get("type") in MISP_TYPES_TO_IMPORT:
+ if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
- MISP_TYPES_TO_IMPORT[attribute.get("type")] # type: ignore
+ MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
+ invest.link_to(obs_yeti, "imported_by_misp",f"misp {self.misp_event['Orgc']['name']}")
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
@@ -49,17 +56,18 @@ def add_context_by_misp(
obs_yeti.add_context("misp", context)
def obs_misp_to_yeti(self,invest: entity.Investigation, object_misp: dict):
- objs_type = object_misp["type"]
- links = []
- for attr in object_misp["Attribute"]:
- obs_yeti = self.attr_misp_to_yeti(invest,attr)
- links.append(obs_yeti)
- obs_yeti = links.pop()
- for obj_to_link in links:
- obs_yeti.link_to(obj_to_link, f"linked_by_misp_{objs_type}", "misp")
+ if object_misp["name"] in self.func_by_type:
+ self.func_by_type[object_misp["name"]](invest,object_misp)
+ else:
+ print(f"Object {object_misp['name']} not imported")
def misp_to_yeti(self):
- invest = entity.Investigation(name=self.misp_event.get("info")).save()
+ invest = entity.Investigation(name=self.misp_event["info"]).save()
+
+ if self.misp_event["Tag"]:
+ invest.tag(self.misp_event["Tag"])
+
+
for object_misp in self.misp_event["Object"]:
self.obs_misp_to_yeti(invest,object_misp)
@@ -69,3 +77,30 @@ def misp_to_yeti(self):
self.add_context_by_misp(attribute_misp, self.misp_event, obs_yeti)
else:
print(f"Attribute {attribute_misp} not imported")
+ invest.save()
+
+ def __import_av_signature(self, invest: entity.Investigation,object_av_signature: dict):
+
+ def __import_asn_object(self, invest: entity.Investigation,object_asn: dict):
+ asn = observable.asn.ASN(value=object_asn["asn"]).save()
+ context = {}
+
+ if subnet := object_asn.get("subnet"):
+ try:
+ subnet = observable.cidr.CIDR(value=subnet).save()
+ asn.link_to(subnet, "part_of", "subnet")
+ except ValueError:
+ logging.error(f"Invalid subnet: {subnet}")
+
+ if object_asn['last-seen']:
+ context["last-seen"] = object_asn['last-seen']
+ if object_asn['first-seen']:
+ context["first-seen"] = object_asn['first-seen']
+ if object_asn['description']:
+ context["description"] = object_asn['description']
+ if object_asn['country']:
+ context["country"] = object_asn['country']
+
+ asn.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
+
+ invest.link_to(asn, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
From f0f4649dbbecf27b1067030f90ab7531fdca642e Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 1 Mar 2024 16:44:41 +0100
Subject: [PATCH 03/69] ad av signature
---
core/common/misp_to_yeti.py | 9 +++++++--
core/schemas/indicator.py | 9 +++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 5db8e51ff..4417f42c9 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,6 +1,6 @@
import logging
-from core.schemas import entity, observable
+from core.schemas import entity, observable, indicator
MISP_Attribute_TO_IMPORT = {
"domain": observable.ObservableType.hostname,
@@ -30,6 +30,7 @@ def __init__(self, misp_event):
self.misp_event = misp_event
self.func_by_type = {
"asn": self.__import_asn_object,
+ "av-signature": self.__import_av_signature,
}
def attr_misp_to_yeti(
@@ -80,7 +81,11 @@ def misp_to_yeti(self):
invest.save()
def __import_av_signature(self, invest: entity.Investigation,object_av_signature: dict):
-
+ av_sig = indicator.av_signature(name=object_av_signature["signature"],software=object_av_signature["software"]).save()
+ av_sig.description = object_av_signature["description"]
+ av_sig.save()
+ invest.link_to(av_sig, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+
def __import_asn_object(self, invest: entity.Investigation,object_asn: dict):
asn = observable.asn.ASN(value=object_asn["asn"]).save()
context = {}
diff --git a/core/schemas/indicator.py b/core/schemas/indicator.py
index 588ff9e5e..d179963bf 100644
--- a/core/schemas/indicator.py
+++ b/core/schemas/indicator.py
@@ -30,6 +30,7 @@ class IndicatorType(str, Enum):
sigma = "sigma"
query = "query"
forensicartifact = "forensicartifact"
+ av_signature = "av_signature"
class IndicatorMatch(BaseModel):
@@ -273,6 +274,13 @@ def save_indicators(self, create_links: bool = False):
self.link_to(indicator, "uses", f"Uses regex {indicator.name}")
return indicators
+class av_signature(Indicator):
+ _type_filter: ClassVar[str] = IndicatorType.av_signature
+ type: Literal[IndicatorType.av_signature] = IndicatorType.av_signature
+ software: str
+
+ def match(self, value: str) -> IndicatorMatch | None:
+ raise NotImplementedError
ARTIFACT_INTERPOLATION_RE = re.compile(r"%%[a-z._]+%%")
@@ -282,6 +290,7 @@ def save_indicators(self, create_links: bool = False):
"sigma": Sigma,
"query": Query,
"forensicartifact": ForensicArtifact,
+ "av_signature": av_signature,
"indicator": Indicator,
"indicators": Indicator,
}
From b174d14a93fe7bb557a9036afcc8191caa9f3fac Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 1 Mar 2024 16:53:47 +0100
Subject: [PATCH 04/69] add btc_wallet
---
core/common/misp_to_yeti.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 4417f42c9..5c839d337 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -31,6 +31,7 @@ def __init__(self, misp_event):
self.func_by_type = {
"asn": self.__import_asn_object,
"av-signature": self.__import_av_signature,
+ "btc-wallet": self.__import_btc_wallet,
}
def attr_misp_to_yeti(
@@ -109,3 +110,19 @@ def __import_asn_object(self, invest: entity.Investigation,object_asn: dict):
asn.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
invest.link_to(asn, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+
+ def __import_btc_wallet(self, invest: entity.Investigation,object_btc: dict):
+ btc = observable.wallet.Wallet(value=object_btc["wallet-address"]).save()
+ context = {}
+ if object_btc["BTC_received"]:
+ context["BTC_received"] = object_btc["BTC_received"]
+ if object_btc["BTC_sent"]:
+ context["BTC_sent"] = object_btc["BTC_sent"]
+ if object_btc["BTC_balance"]:
+ context["BTC_balance"] = object_btc["BTC_balance"]
+ if object_btc["time"]:
+ context["time"] = object_btc["time"]
+ if context:
+ btc.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
+ invest.link_to(btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+
From 3eaab5cd5cfb1592387d2aebf9531e008deb3842 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 1 Mar 2024 17:26:49 +0100
Subject: [PATCH 05/69] add c2 list
---
core/common/misp_to_yeti.py | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 5c839d337..efe9f2403 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,5 +1,5 @@
import logging
-
+from datetime import timedelta
from core.schemas import entity, observable, indicator
MISP_Attribute_TO_IMPORT = {
@@ -32,6 +32,7 @@ def __init__(self, misp_event):
"asn": self.__import_asn_object,
"av-signature": self.__import_av_signature,
"btc-wallet": self.__import_btc_wallet,
+ "c2-list": self.__import_c2_list,
}
def attr_misp_to_yeti(
@@ -56,12 +57,24 @@ def add_context_by_misp(
context["comment"] = attribute_misp.get("comment")
obs_yeti.add_context("misp", context)
-
+
+ def add_obs(self,invest: entity.Investigation,obs_misp: dict):
+ for attr in obs_misp["Attribute"]:
+ obs_yeti = self.attr_misp_to_yeti(invest,attr)
+
+ if obs_yeti:
+ self.add_context_by_misp(attr, obs_misp, obs_yeti)
+ yield obs_yeti
+ else:
+ print(f"Attribute {attr} not imported")
+
def obs_misp_to_yeti(self,invest: entity.Investigation, object_misp: dict):
if object_misp["name"] in self.func_by_type:
self.func_by_type[object_misp["name"]](invest,object_misp)
else:
- print(f"Object {object_misp['name']} not imported")
+ for obs_yeti in self.add_obs(invest,object_misp):
+ invest.link_to(obs_yeti, "imported_by_misp",f"misp {self.misp_event['Orgc']['name']}")
+
def misp_to_yeti(self):
invest = entity.Investigation(name=self.misp_event["info"]).save()
@@ -110,7 +123,7 @@ def __import_asn_object(self, invest: entity.Investigation,object_asn: dict):
asn.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
invest.link_to(asn, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
-
+
def __import_btc_wallet(self, invest: entity.Investigation,object_btc: dict):
btc = observable.wallet.Wallet(value=object_btc["wallet-address"]).save()
context = {}
@@ -126,3 +139,17 @@ def __import_btc_wallet(self, invest: entity.Investigation,object_btc: dict):
btc.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
invest.link_to(btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+
+ def __import_c2_list(self, invest: entity.Investigation,object_c2_list: dict):
+ list_c2_ip = filter(lambda x: x["type"] == "c2-ip", object_c2_list["Attribute"])
+ list_c2_domain = filter(lambda x: x["type"] == "c2-ipport", object_c2_list["Attribute"])
+ for c2 in list_c2_ip:
+ obs_yeti=self.attr_misp_to_yeti(invest,c2)
+ obs_yeti.link_to_tag(object_c2_list['threat'],timedelta(days=30))
+ for c2 in list_c2_domain:
+ ip,port = c2["value"].split("|")
+ obs_yeti=observable.TYPE_MAPPING[MISP_Attribute_TO_IMPORT["ip-src"]](value=ip)
+ obs_yeti.link_to_tag(object_c2_list['threat'],timedelta(days=30))
+ obs_yeti.add_context("misp",{"port":port})
+
+
From 25d49fe05b293404317bc7d86f8a39cfc88d4348 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 11:50:19 +0100
Subject: [PATCH 06/69] Update entity.py
add location
---
core/schemas/entity.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
index 1a0c7c651..8e99f6f66 100644
--- a/core/schemas/entity.py
+++ b/core/schemas/entity.py
@@ -24,6 +24,7 @@ class EntityType(str, Enum):
tool = "tool"
vulnerability = "vulnerability"
course_of_action = "course-of-action"
+ location = "location"
class Entity(YetiTagModel, database_arango.ArangoYetiConnector):
@@ -136,7 +137,15 @@ class Investigation(Entity):
reference: str = ""
+class location(Entity):
+ _type_filter: ClassVar[str] = EntityType.location
+ type: Literal[EntityType.location] = EntityType.location
+ location: str = ""
+ reference: str = ""
+ lat: float = 0.0
+ lon: float = 0.0
+
class SeverityType(str, Enum):
none = "none"
low = "low"
From 98733ea88197da9bf8c29291f337fcf31a1d8a4d Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 11:51:40 +0100
Subject: [PATCH 07/69] update location
---
core/schemas/entity.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
index 8e99f6f66..e67d9ac85 100644
--- a/core/schemas/entity.py
+++ b/core/schemas/entity.py
@@ -145,7 +145,10 @@ class location(Entity):
reference: str = ""
lat: float = 0.0
lon: float = 0.0
-
+ country: str = ""
+ city: str = ""
+ country_code: int = 0
+
class SeverityType(str, Enum):
none = "none"
low = "low"
From 828d9b69afe7c870c8845113411b3a2402314acd Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 14:08:34 +0100
Subject: [PATCH 08/69] add setter for location
---
core/schemas/entity.py | 14 +++++++++++++-
poetry.lock | 15 +++++++++++++--
pyproject.toml | 1 +
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
index e67d9ac85..140d71212 100644
--- a/core/schemas/entity.py
+++ b/core/schemas/entity.py
@@ -137,7 +137,8 @@ class Investigation(Entity):
reference: str = ""
-class location(Entity):
+
+class Location(Entity):
_type_filter: ClassVar[str] = EntityType.location
type: Literal[EntityType.location] = EntityType.location
@@ -149,6 +150,17 @@ class location(Entity):
city: str = ""
country_code: int = 0
+ def set_country_name_by_code(self, code: int):
+ import pycountry
+
+ self.country = pycountry.countries.get(numeric=str(code)).name
+
+ def set_country_code_by_name(self, name: str):
+ import pycountry
+
+ self.country_code = pycountry.countries.get(name=name).numeric
+
+
class SeverityType(str, Enum):
none = "none"
low = "low"
diff --git a/poetry.lock b/poetry.lock
index b388b6230..d0d0b37e1 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.1 and should not be changed by hand.
[[package]]
name = "altair"
@@ -1519,6 +1519,17 @@ files = [
[package.dependencies]
pyasn1 = ">=0.4.6,<0.6.0"
+[[package]]
+name = "pycountry"
+version = "23.12.11"
+description = "ISO country, subdivision, language, currency and script definitions and their translations"
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "pycountry-23.12.11-py3-none-any.whl", hash = "sha256:2ff91cff4f40ff61086e773d61e72005fe95de4a57bfc765509db05695dc50ab"},
+ {file = "pycountry-23.12.11.tar.gz", hash = "sha256:00569d82eaefbc6a490a311bfa84a9c571cff9ddbf8b0a4f4e7b4f868b4ad925"},
+]
+
[[package]]
name = "pycparser"
version = "2.21"
@@ -2539,4 +2550,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-content-hash = "f1c8d01a1433b9c171ae8e43ade01f69fc6d2dad1b283dcaf42f065e42ce129a"
+content-hash = "67fef59bf1c06067ebf0c79dbeaef6d4ea4a44f87f6ebaccc85c3f29d3fe677d"
diff --git a/pyproject.toml b/pyproject.toml
index 331cea592..99c05175f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -25,6 +25,7 @@ itsdangerous = "^2.1.2"
pyyaml = "^6.0.1"
parameterized = "^0.9.0"
artifacts = {git = "https://github.com/forensicartifacts/artifacts.git", rev = "main"}
+pycountry = "^23.12.11"
[tool.poetry.group.dev.dependencies]
pylint = "^2.16.1"
From 5986e728da3de3d81414b64d2be3debf60d56a52 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 14:38:03 +0100
Subject: [PATCH 09/69] add cmd line and ruff linting
---
core/common/misp_to_yeti.py | 210 +++++++++++++++++++++++++++---------
1 file changed, 158 insertions(+), 52 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index efe9f2403..0ed0cb815 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,4 +1,5 @@
import logging
+import pycountry
from datetime import timedelta
from core.schemas import entity, observable, indicator
@@ -24,25 +25,30 @@
"asn": observable.ObservableType.asn,
}
+
class MispToYeti:
def __init__(self, misp_event):
self.misp_event = misp_event
self.func_by_type = {
- "asn": self.__import_asn_object,
- "av-signature": self.__import_av_signature,
- "btc-wallet": self.__import_btc_wallet,
- "c2-list": self.__import_c2_list,
- }
+ "asn": self.__import_asn_object,
+ "av-signature": self.__import_av_signature,
+ "btc-wallet": self.__import_btc_wallet,
+ "c2-list": self.__import_c2_list,
+ "crowdsec-ip-context": self.__import_crowdsec_ip_context,
+ "command-line": self.__import_commande_line,
+ }
def attr_misp_to_yeti(
self, invest: entity.Investigation, attribute: dict
- ) -> observable.Observable: # type: ignore
+ ) -> observable.Observable: # type: ignore
if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
- MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
+ MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
- invest.link_to(obs_yeti, "imported_by_misp",f"misp {self.misp_event['Orgc']['name']}")
+ invest.link_to(
+ obs_yeti, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
@@ -57,50 +63,62 @@ def add_context_by_misp(
context["comment"] = attribute_misp.get("comment")
obs_yeti.add_context("misp", context)
-
- def add_obs(self,invest: entity.Investigation,obs_misp: dict):
+
+ def add_obs(self, invest: entity.Investigation, obs_misp: dict):
for attr in obs_misp["Attribute"]:
- obs_yeti = self.attr_misp_to_yeti(invest,attr)
-
+ obs_yeti = self.attr_misp_to_yeti(invest, attr)
+
if obs_yeti:
self.add_context_by_misp(attr, obs_misp, obs_yeti)
yield obs_yeti
else:
print(f"Attribute {attr} not imported")
-
- def obs_misp_to_yeti(self,invest: entity.Investigation, object_misp: dict):
+
+ def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: dict):
if object_misp["name"] in self.func_by_type:
- self.func_by_type[object_misp["name"]](invest,object_misp)
+ self.func_by_type[object_misp["name"]](invest, object_misp)
else:
- for obs_yeti in self.add_obs(invest,object_misp):
- invest.link_to(obs_yeti, "imported_by_misp",f"misp {self.misp_event['Orgc']['name']}")
-
+ for obs_yeti in self.add_obs(invest, object_misp):
+ invest.link_to(
+ obs_yeti,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']}",
+ )
def misp_to_yeti(self):
invest = entity.Investigation(name=self.misp_event["info"]).save()
if self.misp_event["Tag"]:
invest.tag(self.misp_event["Tag"])
-
-
+ invest.description =f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
for object_misp in self.misp_event["Object"]:
- self.obs_misp_to_yeti(invest,object_misp)
+ self.obs_misp_to_yeti(invest, object_misp)
for attribute_misp in self.misp_event["Attribute"]:
- obs_yeti = self.attr_misp_to_yeti(invest,attribute_misp)
+ obs_yeti = self.attr_misp_to_yeti(invest, attribute_misp)
if obs_yeti:
self.add_context_by_misp(attribute_misp, self.misp_event, obs_yeti)
else:
print(f"Attribute {attribute_misp} not imported")
invest.save()
- def __import_av_signature(self, invest: entity.Investigation,object_av_signature: dict):
- av_sig = indicator.av_signature(name=object_av_signature["signature"],software=object_av_signature["software"]).save()
+ def __import_av_signature(
+ self, invest: entity.Investigation, object_av_signature: dict
+ ):
+ av_sig = indicator.av_signature(
+ name=object_av_signature["signature"],
+ software=object_av_signature["software"],
+ diamond=indicator.DiamondModel.capability,
+ pattern=object_av_signature["signature"],
+ location='misp',
+ ).save()
av_sig.description = object_av_signature["description"]
av_sig.save()
- invest.link_to(av_sig, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+ invest.link_to(
+ av_sig, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
- def __import_asn_object(self, invest: entity.Investigation,object_asn: dict):
+ def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
asn = observable.asn.ASN(value=object_asn["asn"]).save()
context = {}
@@ -111,20 +129,22 @@ def __import_asn_object(self, invest: entity.Investigation,object_asn: dict):
except ValueError:
logging.error(f"Invalid subnet: {subnet}")
- if object_asn['last-seen']:
- context["last-seen"] = object_asn['last-seen']
- if object_asn['first-seen']:
- context["first-seen"] = object_asn['first-seen']
- if object_asn['description']:
- context["description"] = object_asn['description']
- if object_asn['country']:
- context["country"] = object_asn['country']
-
+ if object_asn["last-seen"]:
+ context["last-seen"] = object_asn["last-seen"]
+ if object_asn["first-seen"]:
+ context["first-seen"] = object_asn["first-seen"]
+ if object_asn["description"]:
+ context["description"] = object_asn["description"]
+ if object_asn["country"]:
+ context["country"] = object_asn["country"]
+
asn.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
-
- invest.link_to(asn, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
-
- def __import_btc_wallet(self, invest: entity.Investigation,object_btc: dict):
+
+ invest.link_to(
+ asn, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
+
+ def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
btc = observable.wallet.Wallet(value=object_btc["wallet-address"]).save()
context = {}
if object_btc["BTC_received"]:
@@ -137,19 +157,105 @@ def __import_btc_wallet(self, invest: entity.Investigation,object_btc: dict):
context["time"] = object_btc["time"]
if context:
btc.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
- invest.link_to(btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
-
+ invest.link_to(
+ btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
+
+ def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
+ list_c2_ip = filter(lambda x: x["type"] == "c2-ip", object_c2_list["Attribute"])
+ list_c2_domain = filter(
+ lambda x: x["type"] == "c2-ipport", object_c2_list["Attribute"]
+ )
+ for c2 in list_c2_ip:
+ obs_yeti = self.attr_misp_to_yeti(invest, c2)
+ obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
+ for c2 in list_c2_domain:
+ ip, port = c2["value"].split("|")
+ obs_yeti = observable.TYPE_MAPPING[MISP_Attribute_TO_IMPORT["ip-src"]](
+ value=ip
+ )
+ obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
+ obs_yeti.add_context("misp", {"port": port})
- def __import_c2_list(self, invest: entity.Investigation,object_c2_list: dict):
- list_c2_ip = filter(lambda x: x["type"] == "c2-ip", object_c2_list["Attribute"])
- list_c2_domain = filter(lambda x: x["type"] == "c2-ipport", object_c2_list["Attribute"])
- for c2 in list_c2_ip:
- obs_yeti=self.attr_misp_to_yeti(invest,c2)
- obs_yeti.link_to_tag(object_c2_list['threat'],timedelta(days=30))
- for c2 in list_c2_domain:
- ip,port = c2["value"].split("|")
- obs_yeti=observable.TYPE_MAPPING[MISP_Attribute_TO_IMPORT["ip-src"]](value=ip)
- obs_yeti.link_to_tag(object_c2_list['threat'],timedelta(days=30))
- obs_yeti.add_context("misp",{"port":port})
+ def __import_crowdsec_ip_context(self, invest: entity.Investigation, object_crowdsec_ip: dict):
+ ip = observable.ipv4.IPv4(value=object_crowdsec_ip["ip"]).save()
+
+ as_num = object_crowdsec_ip.get("as_num")
+ if as_num:
+ as_num = observable.asn.ASN(value=as_num).save()
+ ip.link_to(as_num, "part_of", "asn")
+
+ context = {}
+ attack_details = object_crowdsec_ip.get("attack-details")
+
+ if attack_details:
+ context["attack-details"] = attack_details
+
+ background_noise = object_crowdsec_ip.get("background-noise")
+ if background_noise:
+ context["background-noise"] = background_noise
+
+ behaviors = object_crowdsec_ip.get("behaviors")
+ if behaviors:
+ context["behaviors"] = behaviors
+
+ city = object_crowdsec_ip.get("city")
+ country = object_crowdsec_ip.get("country")
+ country_code = object_crowdsec_ip.get("country_code")
+
+ if city or country or country_code:
+ if city:
+ location = entity.Location(name=city,city=city).save()
+
+ if country:
+ location = entity.Location(name=country,country=country).save()
+ location.set_country_code_by_name(country)
+ if country_code:
+ country_name = pycountry.countries.get(alpha_2=country_code).name
+ location = entity.Location(name=country_name,country=country_name).save()
+ if location:
+ ip.link_to(location, "located_at", "location")
+ invest.link_to(location, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+ dst_port = object_crowdsec_ip.get("dst-port")
+ if dst_port:
+ context["dst_port"] = dst_port
+ ip_range_scope = object_crowdsec_ip.get("ip-range-scope")
+ if ip_range_scope:
+ context["ip-range-scope"] = ip_range_scope
+ trust = object_crowdsec_ip.get("trust")
+ if trust:
+ context["trust"] = trust
+
+ ip_range = object_crowdsec_ip.get("ip-range")
+ if ip_range:
+ cidr_obs = observable.cidr.CIDR(value=ip_range).save() # type: ignore
+ ip.link_to(cidr_obs, "part_of", "subnet")
+ invest.link_to(cidr_obs, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+
+ ip.add_context(f"misp {self.misp_event['Orgc']['name']} CrowdSec", context)
+
+ reverse_dns = object_crowdsec_ip.get("reverse_dns")
+ if reverse_dns:
+ hostname = observable.hostname.Hostname(value=reverse_dns).save()
+ ip.link_to(hostname, "resolved_to", "hostname")
+ invest.link_to(hostname, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+
+ invest.link_to(ip, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+
+ def __import_commande_line(self, invest: entity.Investigation, object_command_line: dict):
+ cmd_line = object_command_line["value"]
+ cmd_line = observable.command_line.CommandLine(value=cmd_line).save()
+
+ description = object_command_line.get("description")
+ context = {}
+ if description:
+ context["description"] = description
+ if context:
+ cmd_line.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+ invest.link_to(cmd_line, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+
+
+
+
\ No newline at end of file
From 79917b5555e1aa31e9459475861e0b87208ff015 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 14:51:39 +0100
Subject: [PATCH 10/69] add test location
---
tests/schemas/entity.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index 241447278..1ecbda149 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -10,6 +10,7 @@
ThreatActor,
Tool,
Vulnerability,
+ Location,
)
from core.schemas.observables import hostname
@@ -135,3 +136,10 @@ def test_bad_cve_name(self):
def test_correct_cve_name(self):
vulnerability = Vulnerability(name="CVE-1337-4242").save()
self.assertEqual(Vulnerability.is_valid(vulnerability), True)
+
+ def test_location(self):
+ location = Location(name="France").save()
+ location.set_country_code_by_name(location.name)
+ self.assertEqual(location.name, "France")
+ self.assertEqual(location.country_code, "FR")
+
From 19da92d60b0f692220b49a3cc5827beb37413369 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 15:02:29 +0100
Subject: [PATCH 11/69] add cookie
---
core/schemas/observable.py | 2 ++
core/schemas/observables/cookie.py | 23 +++++++++++++++++++++++
tests/schemas/observable.py | 14 ++++++++++++++
3 files changed, 39 insertions(+)
create mode 100644 core/schemas/observables/cookie.py
diff --git a/core/schemas/observable.py b/core/schemas/observable.py
index 96db22725..50532ea4f 100644
--- a/core/schemas/observable.py
+++ b/core/schemas/observable.py
@@ -20,6 +20,7 @@ class ObservableType(str, Enum):
certificate = "certificate"
cidr = "cidr"
command_line = "command_line"
+ cookie = "cookie"
docker_image = "docker_image"
email = "email"
file = "file"
@@ -193,6 +194,7 @@ def find_type(value: str) -> ObservableType | None:
certificate, # noqa: F401
cidr, # noqa: F401
command_line, # noqa: E402, F401
+ cookie, # noqa: F401
docker_image, # noqa: F401
email, # noqa: F401
file, # noqa: F401
diff --git a/core/schemas/observables/cookie.py b/core/schemas/observables/cookie.py
new file mode 100644
index 000000000..e0d7a04cf
--- /dev/null
+++ b/core/schemas/observables/cookie.py
@@ -0,0 +1,23 @@
+import datetime
+from typing import Literal, Optional
+
+from core.schemas import observable
+
+
+class Cookie(observable.Observable):
+ type: Literal[observable.ObservableType.cookie] = observable.ObservableType.cookie
+
+ http_only: bool = False
+ secure: bool = False
+ type_cookie: Literal[
+ "Session management",
+ "Tracking",
+ "Personalization",
+ "Security",
+ "Exfiltration",
+ "Beaconing",
+ "Other",
+ ] = "Session management"
+ expires: Optional[datetime.datetime] = None
+
+observable.TYPE_MAPPING[observable.ObservableType.cookie] = Cookie
diff --git a/tests/schemas/observable.py b/tests/schemas/observable.py
index e6b0ed3ed..d0e5d1a0a 100644
--- a/tests/schemas/observable.py
+++ b/tests/schemas/observable.py
@@ -10,6 +10,7 @@
certificate,
cidr,
command_line,
+ cookie,
docker_image,
email,
file,
@@ -530,3 +531,16 @@ def test_create_user_account_incoherent_dates(self) -> None:
2023, 1, 1, tzinfo=datetime.timezone.utc
),
).save()
+ def test_cookie(self):
+ cookie_obs = cookie.Cookie(value="test_cookie")
+ cookie_obs.http_only = True
+ cookie_obs.secure = True
+ cookie_obs.type_cookie = "Session management"
+ cookie_obs.expires = datetime.datetime.now(datetime.timezone.utc)
+ cookie_obs.save()
+ self.assertEqual(cookie_obs.type, "cookie")
+ self.assertEqual(cookie_obs.http_only, True)
+ self.assertEqual(cookie_obs.secure, True)
+ self.assertEqual(cookie_obs.type_cookie, "Session management")
+ self.assertIsNotNone(cookie_obs.expires)
+
From 65370ed52c0958e93fa8d4837870066929ee5102 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 15:04:07 +0100
Subject: [PATCH 12/69] add description
---
tests/schemas/observable.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/schemas/observable.py b/tests/schemas/observable.py
index d0e5d1a0a..20eb715ee 100644
--- a/tests/schemas/observable.py
+++ b/tests/schemas/observable.py
@@ -531,7 +531,9 @@ def test_create_user_account_incoherent_dates(self) -> None:
2023, 1, 1, tzinfo=datetime.timezone.utc
),
).save()
+
def test_cookie(self):
+ """Tests creating a cookie."""
cookie_obs = cookie.Cookie(value="test_cookie")
cookie_obs.http_only = True
cookie_obs.secure = True
@@ -543,4 +545,3 @@ def test_cookie(self):
self.assertEqual(cookie_obs.secure, True)
self.assertEqual(cookie_obs.type_cookie, "Session management")
self.assertIsNotNone(cookie_obs.expires)
-
From 6f25bffad72492bb3e1054c1b84a63b1975b782f Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 15:31:59 +0100
Subject: [PATCH 13/69] add cookie
---
core/common/misp_to_yeti.py | 59 +++++++-----
core/schemas/observables/cookie.py | 2 +
poetry.lock | 143 ++++++++++++++++++++++++++++-
pyproject.toml | 1 +
4 files changed, 183 insertions(+), 22 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 0ed0cb815..8563a0894 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -2,6 +2,7 @@
import pycountry
from datetime import timedelta
from core.schemas import entity, observable, indicator
+import dateparser
MISP_Attribute_TO_IMPORT = {
"domain": observable.ObservableType.hostname,
@@ -23,6 +24,7 @@
"filename": observable.ObservableType.file,
"regkey": observable.ObservableType.registry_key,
"asn": observable.ObservableType.asn,
+ "cookie": observable.ObservableType.cookie,
}
@@ -37,17 +39,18 @@ def __init__(self, misp_event):
"c2-list": self.__import_c2_list,
"crowdsec-ip-context": self.__import_crowdsec_ip_context,
"command-line": self.__import_commande_line,
+ "cookie": self.__import_cookie,
}
def attr_misp_to_yeti(
- self, invest: entity.Investigation, attribute: dict
+ self, invest: entity.Investigation, attribute: dict, description: str =""
) -> observable.Observable: # type: ignore
if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
invest.link_to(
- obs_yeti, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ obs_yeti, "imported_by_misp", description
)
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
@@ -56,12 +59,10 @@ def add_context_by_misp(
self, attribute_misp: dict, event: dict, obs_yeti: observable.Observable
):
context = {}
- event_id = attribute_misp.get("event_id")
context["Org"] = event["Org"]["name"]
- context["event_id"] = event_id
+
if attribute_misp.get("comment"):
context["comment"] = attribute_misp.get("comment")
-
obs_yeti.add_context("misp", context)
def add_obs(self, invest: entity.Investigation, obs_misp: dict):
@@ -82,7 +83,7 @@ def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: dict):
invest.link_to(
obs_yeti,
"imported_by_misp",
- f"misp {self.misp_event['Orgc']['name']}",
+ description=f"misp {self.misp_event['Orgc']['name']}",
)
def misp_to_yeti(self):
@@ -111,7 +112,7 @@ def __import_av_signature(
diamond=indicator.DiamondModel.capability,
pattern=object_av_signature["signature"],
location='misp',
- ).save()
+ )
av_sig.description = object_av_signature["description"]
av_sig.save()
invest.link_to(
@@ -119,7 +120,7 @@ def __import_av_signature(
)
def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
- asn = observable.asn.ASN(value=object_asn["asn"]).save()
+ asn = self.attr_misp_to_yeti(invest, object_asn['value'], description=f"misp {self.misp_event['Orgc']['name']}")
context = {}
if subnet := object_asn.get("subnet"):
@@ -145,7 +146,7 @@ def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
)
def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
- btc = observable.wallet.Wallet(value=object_btc["wallet-address"]).save()
+ btc = observable.wallet.Wallet(value=object_btc["wallet-address"])
context = {}
if object_btc["BTC_received"]:
context["BTC_received"] = object_btc["BTC_received"]
@@ -159,7 +160,8 @@ def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
btc.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
invest.link_to(
btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
- )
+ )
+ btc.save()
def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
list_c2_ip = filter(lambda x: x["type"] == "c2-ip", object_c2_list["Attribute"])
@@ -167,7 +169,7 @@ def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
lambda x: x["type"] == "c2-ipport", object_c2_list["Attribute"]
)
for c2 in list_c2_ip:
- obs_yeti = self.attr_misp_to_yeti(invest, c2)
+ obs_yeti = self.attr_misp_to_yeti(invest, c2, description=f"misp {self.misp_event['Orgc']['name']}")
obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
for c2 in list_c2_domain:
ip, port = c2["value"].split("|")
@@ -178,12 +180,12 @@ def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
obs_yeti.add_context("misp", {"port": port})
def __import_crowdsec_ip_context(self, invest: entity.Investigation, object_crowdsec_ip: dict):
- ip = observable.ipv4.IPv4(value=object_crowdsec_ip["ip"]).save()
+ ip = self.attr_misp_to_yeti(invest, object_crowdsec_ip['ip'],description=f"misp {self.misp_event['Orgc']['name']} CrowdSec")
as_num = object_crowdsec_ip.get("as_num")
if as_num:
- as_num = observable.asn.ASN(value=as_num).save()
- ip.link_to(as_num, "part_of", "asn")
+ asn = self.attr_misp_to_yeti(invest, as_num)
+ ip.link_to(asn, "part_of", "asn")
context = {}
attack_details = object_crowdsec_ip.get("attack-details")
@@ -238,12 +240,9 @@ def __import_crowdsec_ip_context(self, invest: entity.Investigation, object_crow
reverse_dns = object_crowdsec_ip.get("reverse_dns")
if reverse_dns:
- hostname = observable.hostname.Hostname(value=reverse_dns).save()
+ hostname = self.attr_misp_to_yeti(invest, reverse_dns,description=f"misp {self.misp_event['Orgc']['name']} CrowdSec")
ip.link_to(hostname, "resolved_to", "hostname")
- invest.link_to(hostname, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
-
- invest.link_to(ip, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
-
+
def __import_commande_line(self, invest: entity.Investigation, object_command_line: dict):
cmd_line = object_command_line["value"]
cmd_line = observable.command_line.CommandLine(value=cmd_line).save()
@@ -256,6 +255,24 @@ def __import_commande_line(self, invest: entity.Investigation, object_command_li
cmd_line.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
invest.link_to(cmd_line, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
+ def __import_cookie(self, invest: entity.Investigation, object_cookie: dict):
+
+ name = object_cookie['name']
+
+ cookie_attr = object_cookie['cookie']
+ cookie = self.attr_misp_to_yeti(invest, cookie_attr,description=f"misp {self.misp_event['Orgc']['name']}")
+ cookie.name = name
+ https_only = object_cookie.get("http-only")
+ if https_only:
+ cookie.http_only = https_only
+ secure = object_cookie.get("secure")
+ if secure:
+ cookie.secure = secure
+ cookie_type = object_cookie.get("type")
+ if cookie_type:
+ cookie.type_cookie = cookie_type
+ expires = object_cookie.get("expires")
+ if expires:
+ cookie.expires = dateparser.parse(expires)
+ cookie.save()
-
-
\ No newline at end of file
diff --git a/core/schemas/observables/cookie.py b/core/schemas/observables/cookie.py
index e0d7a04cf..65b307dab 100644
--- a/core/schemas/observables/cookie.py
+++ b/core/schemas/observables/cookie.py
@@ -19,5 +19,7 @@ class Cookie(observable.Observable):
"Other",
] = "Session management"
expires: Optional[datetime.datetime] = None
+ name: Optional[str] = None
+ cookie: Optional[str] = None
observable.TYPE_MAPPING[observable.ObservableType.cookie] = Cookie
diff --git a/poetry.lock b/poetry.lock
index d0d0b37e1..23b147031 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -626,6 +626,28 @@ ssh = ["bcrypt (>=3.1.5)"]
test = ["pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
test-randomorder = ["pytest-randomly"]
+[[package]]
+name = "dateparser"
+version = "1.2.0"
+description = "Date parsing library designed to parse dates from HTML pages"
+optional = false
+python-versions = ">=3.7"
+files = [
+ {file = "dateparser-1.2.0-py2.py3-none-any.whl", hash = "sha256:0b21ad96534e562920a0083e97fd45fa959882d4162acc358705144520a35830"},
+ {file = "dateparser-1.2.0.tar.gz", hash = "sha256:7975b43a4222283e0ae15be7b4999d08c9a70e2d378ac87385b1ccf2cffbbb30"},
+]
+
+[package.dependencies]
+python-dateutil = "*"
+pytz = "*"
+regex = "<2019.02.19 || >2019.02.19,<2021.8.27 || >2021.8.27"
+tzlocal = "*"
+
+[package.extras]
+calendars = ["convertdate", "hijri-converter"]
+fasttext = ["fasttext"]
+langdetect = ["langdetect"]
+
[[package]]
name = "deprecated"
version = "1.2.14"
@@ -1933,6 +1955,108 @@ files = [
attrs = ">=22.2.0"
rpds-py = ">=0.7.0"
+[[package]]
+name = "regex"
+version = "2023.12.25"
+description = "Alternative regular expression module, to replace re."
+optional = false
+python-versions = ">=3.7"
+files = [
+ {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5"},
+ {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8"},
+ {file = "regex-2023.12.25-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f"},
+ {file = "regex-2023.12.25-cp310-cp310-win32.whl", hash = "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630"},
+ {file = "regex-2023.12.25-cp310-cp310-win_amd64.whl", hash = "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4"},
+ {file = "regex-2023.12.25-cp311-cp311-win32.whl", hash = "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87"},
+ {file = "regex-2023.12.25-cp311-cp311-win_amd64.whl", hash = "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d"},
+ {file = "regex-2023.12.25-cp312-cp312-win32.whl", hash = "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5"},
+ {file = "regex-2023.12.25-cp312-cp312-win_amd64.whl", hash = "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232"},
+ {file = "regex-2023.12.25-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39"},
+ {file = "regex-2023.12.25-cp37-cp37m-win32.whl", hash = "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c"},
+ {file = "regex-2023.12.25-cp37-cp37m-win_amd64.whl", hash = "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2"},
+ {file = "regex-2023.12.25-cp38-cp38-win32.whl", hash = "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb"},
+ {file = "regex-2023.12.25-cp38-cp38-win_amd64.whl", hash = "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20"},
+ {file = "regex-2023.12.25-cp39-cp39-win32.whl", hash = "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9"},
+ {file = "regex-2023.12.25-cp39-cp39-win_amd64.whl", hash = "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91"},
+ {file = "regex-2023.12.25.tar.gz", hash = "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5"},
+]
+
[[package]]
name = "requests"
version = "2.31.0"
@@ -2362,6 +2486,23 @@ files = [
{file = "tzdata-2023.4.tar.gz", hash = "sha256:dd54c94f294765522c77399649b4fefd95522479a664a0cec87f41bebc6148c9"},
]
+[[package]]
+name = "tzlocal"
+version = "5.2"
+description = "tzinfo object for the local timezone"
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "tzlocal-5.2-py3-none-any.whl", hash = "sha256:49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"},
+ {file = "tzlocal-5.2.tar.gz", hash = "sha256:8d399205578f1a9342816409cc1e46a93ebd5755e39ea2d85334bea911bf0e6e"},
+]
+
+[package.dependencies]
+tzdata = {version = "*", markers = "platform_system == \"Windows\""}
+
+[package.extras]
+devenv = ["check-manifest", "pytest (>=4.3)", "pytest-cov", "pytest-mock (>=3.3)", "zest.releaser"]
+
[[package]]
name = "urllib3"
version = "2.2.0"
@@ -2550,4 +2691,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-content-hash = "67fef59bf1c06067ebf0c79dbeaef6d4ea4a44f87f6ebaccc85c3f29d3fe677d"
+content-hash = "d6f401844101f765f4b2ea40bc509f627eda1132b56364b09baff855deda7407"
diff --git a/pyproject.toml b/pyproject.toml
index 99c05175f..b3725ef06 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,6 +26,7 @@ pyyaml = "^6.0.1"
parameterized = "^0.9.0"
artifacts = {git = "https://github.com/forensicartifacts/artifacts.git", rev = "main"}
pycountry = "^23.12.11"
+dateparser = "^1.2.0"
[tool.poetry.group.dev.dependencies]
pylint = "^2.16.1"
From f1c39fea58eea5fdbf79d42458f4f30d121bcc9e Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:18:41 +0100
Subject: [PATCH 14/69] add Jarm
---
core/schemas/observable.py | 2 ++
core/schemas/observables/jarm.py | 14 ++++++++++++++
tests/schemas/observable.py | 7 +++++++
3 files changed, 23 insertions(+)
create mode 100644 core/schemas/observables/jarm.py
diff --git a/core/schemas/observable.py b/core/schemas/observable.py
index 50532ea4f..52d72a3db 100644
--- a/core/schemas/observable.py
+++ b/core/schemas/observable.py
@@ -30,6 +30,7 @@ class ObservableType(str, Enum):
imphash = "imphash"
ipv4 = "ipv4"
ipv6 = "ipv6"
+ jarm = "jarm"
mac_address = "mac_address"
md5 = "md5"
generic = "generic"
@@ -204,6 +205,7 @@ def find_type(value: str) -> ObservableType | None:
imphash, # noqa: F401
ipv4, # noqa: F401
ipv6, # noqa: F401
+ jarm, # noqa: F401
mac_address, # noqa: F401
md5, # noqa: F401
path, # noqa: F401
diff --git a/core/schemas/observables/jarm.py b/core/schemas/observables/jarm.py
new file mode 100644
index 000000000..8129ebf2e
--- /dev/null
+++ b/core/schemas/observables/jarm.py
@@ -0,0 +1,14 @@
+from typing import Literal
+
+from core.schemas import observable
+
+
+class Jarm(observable.Observable):
+ """Represents a JARM fingerprint.
+
+ Value should be in the form JARM:<HASH>.
+ """
+
+ type: Literal[observable.ObservableType.jarm] = observable.ObservableType.jarm
+
+observable.TYPE_MAPPING[observable.ObservableType.jarm] = Jarm
diff --git a/tests/schemas/observable.py b/tests/schemas/observable.py
index 20eb715ee..3b0d07b75 100644
--- a/tests/schemas/observable.py
+++ b/tests/schemas/observable.py
@@ -20,6 +20,7 @@
imphash,
ipv4,
ipv6,
+ jarm,
mac_address,
md5,
mutex,
@@ -545,3 +546,9 @@ def test_cookie(self):
self.assertEqual(cookie_obs.secure, True)
self.assertEqual(cookie_obs.type_cookie, "Session management")
self.assertIsNotNone(cookie_obs.expires)
+
+ def test_jarm(self):
+ """Tests creating a JARM."""
+ jarm_obs = jarm.Jarm(value="1234567890")
+ jarm_obs.save()
+ self.assertEqual(jarm_obs.type, "jarm")
From f3ee1d8281382693296131e3bf3214a54fcae680 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:34:26 +0100
Subject: [PATCH 15/69] add cs-beaconing
---
core/common/misp_to_yeti.py | 73 ++++++++++++++++++++++++++++++++++++-
1 file changed, 71 insertions(+), 2 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 8563a0894..8deb8257e 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,8 +1,10 @@
import logging
-import pycountry
from datetime import timedelta
-from core.schemas import entity, observable, indicator
+
import dateparser
+import pycountry
+
+from core.schemas import entity, indicator, observable
MISP_Attribute_TO_IMPORT = {
"domain": observable.ObservableType.hostname,
@@ -25,6 +27,7 @@
"regkey": observable.ObservableType.registry_key,
"asn": observable.ObservableType.asn,
"cookie": observable.ObservableType.cookie,
+ "other": observable.ObservableType.generic,
}
@@ -275,4 +278,70 @@ def __import_cookie(self, invest: entity.Investigation, object_cookie: dict):
if expires:
cookie.expires = dateparser.parse(expires)
cookie.save()
+
+ def __import_cs_beaconing(self, invest: entity.Investigation, object_cs_beaconing: dict):
+ cs_malware = entity.Malware(name="Cobalt Strike").save()
+ sha256_obs = self.attr_misp_to_yeti(invest, object_cs_beaconing['sha256'], description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ sha1_obs = self.attr_misp_to_yeti(invest, object_cs_beaconing['sha1'], description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ md5_obs = self.attr_misp_to_yeti(invest, object_cs_beaconing['md5'], description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ file_cs = observable.file.File(value=f"FILE:{sha256_obs}").save()
+ file_cs.md5 = md5_obs.value
+ file_cs.sha1 = sha1_obs.value
+ cs_malware.link_to(sha256_obs, "file", "sha256")
+ cs_malware.link_to(sha1_obs, "file", "sha1")
+ cs_malware.link_to(md5_obs, "file", "md5")
+ cs_malware.link_to(file_cs, "file", "file")
+ file_cs.link_to(sha256_obs, "file", "sha256")
+ file_cs.link_to(sha1_obs, "file", "sha1")
+ file_cs.link_to(md5_obs, "file", "md5")
+
+ invest.link_to(
+ cs_malware, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
+ asn = self.attr_misp_to_yeti(invest, object_cs_beaconing['asn'])
+ cs_malware.link_to(asn, "part_of", "asn")
+
+ geo = object_cs_beaconing.get("geo")
+ country = None
+ if geo:
+ country = entity.Location(name=geo, country=geo)
+ country.set_country_code_by_name(country.name)
+ country.save()
+ invest.link_to(country, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+
+ c2_url = filter(lambda x: x["type"] == "c2", object_cs_beaconing["Attribute"])
+ for url in c2_url:
+ obs_yeti = self.attr_misp_to_yeti(invest, url, description=f"misp {self.misp_event['Orgc']['name']}")
+ obs_yeti.link_to(asn, "part_of", "asn")
+ cs_malware.link_to(obs_yeti, "downloaded", "c2")
+
+ ips = filter(lambda x: x["type"] == "ip", object_cs_beaconing["Attribute"])
+ for ip_value in ips:
+ ip = self.attr_misp_to_yeti(invest, ip_value, description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ ip.link_to(asn, "part_of", "asn")
+ if country:
+ ip.link_to(country, "located_at", "location")
+ cs_malware.link_to(ip, "communicate_with", "ip")
+
+ city = object_cs_beaconing.get("city")
+ if city:
+ location = entity.Location(name=city,city=city).save()
+ ip.link_to(location, "located_at", "location")
+ invest.link_to(location, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+
+ jar_md5= object_cs_beaconing["jar-md5"]
+ app_c2 = self.attr_misp_to_yeti(invest, jar_md5, description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ cs_malware.link_to(app_c2, "jar-md5", "MD5 of adversary cobaltstrike.jar file")
+
+ watermark = object_cs_beaconing.get("watermark")
+ watermark_yeti = None
+ if watermark:
+ watermark_yeti = self.attr_misp_to_yeti(invest, watermark, description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ watermark_yeti.link_to(app_c2, "watermarked", "watermark")
+ cs_malware.link_to(watermark_yeti, "watermarked", "watermark")
+
+
+
+
+
From c29db8a33bdf97f60744f804c69367574f4bfebb Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:36:51 +0100
Subject: [PATCH 16/69] Update entity.py
---
tests/schemas/entity.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index 1ecbda149..ef958fd37 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -6,11 +6,11 @@
from core.schemas.entity import (
AttackPattern,
Entity,
+ Location,
Malware,
ThreatActor,
Tool,
Vulnerability,
- Location,
)
from core.schemas.observables import hostname
From 034f00690fcd2b59b7c7800092f2632ada3b9060 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:38:51 +0100
Subject: [PATCH 17/69] ruff
---
core/common/misp_to_yeti.py | 200 +++++++++++++++++++----------
core/schemas/observables/cookie.py | 1 +
core/schemas/observables/jarm.py | 1 +
3 files changed, 132 insertions(+), 70 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 8deb8257e..c659dbee1 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -32,7 +32,6 @@
class MispToYeti:
-
def __init__(self, misp_event):
self.misp_event = misp_event
self.func_by_type = {
@@ -46,15 +45,13 @@ def __init__(self, misp_event):
}
def attr_misp_to_yeti(
- self, invest: entity.Investigation, attribute: dict, description: str =""
+ self, invest: entity.Investigation, attribute: dict, description: str = ""
) -> observable.Observable: # type: ignore
if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
- invest.link_to(
- obs_yeti, "imported_by_misp", description
- )
+ invest.link_to(obs_yeti, "imported_by_misp", description)
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
@@ -63,7 +60,7 @@ def add_context_by_misp(
):
context = {}
context["Org"] = event["Org"]["name"]
-
+
if attribute_misp.get("comment"):
context["comment"] = attribute_misp.get("comment")
obs_yeti.add_context("misp", context)
@@ -94,7 +91,9 @@ def misp_to_yeti(self):
if self.misp_event["Tag"]:
invest.tag(self.misp_event["Tag"])
- invest.description =f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
+ invest.description = (
+ f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
+ )
for object_misp in self.misp_event["Object"]:
self.obs_misp_to_yeti(invest, object_misp)
@@ -114,8 +113,8 @@ def __import_av_signature(
software=object_av_signature["software"],
diamond=indicator.DiamondModel.capability,
pattern=object_av_signature["signature"],
- location='misp',
- )
+ location="misp",
+ )
av_sig.description = object_av_signature["description"]
av_sig.save()
invest.link_to(
@@ -123,7 +122,11 @@ def __import_av_signature(
)
def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
- asn = self.attr_misp_to_yeti(invest, object_asn['value'], description=f"misp {self.misp_event['Orgc']['name']}")
+ asn = self.attr_misp_to_yeti(
+ invest,
+ object_asn["value"],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
context = {}
if subnet := object_asn.get("subnet"):
@@ -163,7 +166,7 @@ def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
btc.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
invest.link_to(
btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
- )
+ )
btc.save()
def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
@@ -172,7 +175,9 @@ def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
lambda x: x["type"] == "c2-ipport", object_c2_list["Attribute"]
)
for c2 in list_c2_ip:
- obs_yeti = self.attr_misp_to_yeti(invest, c2, description=f"misp {self.misp_event['Orgc']['name']}")
+ obs_yeti = self.attr_misp_to_yeti(
+ invest, c2, description=f"misp {self.misp_event['Orgc']['name']}"
+ )
obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
for c2 in list_c2_domain:
ip, port = c2["value"].split("|")
@@ -181,25 +186,31 @@ def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
)
obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
obs_yeti.add_context("misp", {"port": port})
-
- def __import_crowdsec_ip_context(self, invest: entity.Investigation, object_crowdsec_ip: dict):
- ip = self.attr_misp_to_yeti(invest, object_crowdsec_ip['ip'],description=f"misp {self.misp_event['Orgc']['name']} CrowdSec")
-
+
+ def __import_crowdsec_ip_context(
+ self, invest: entity.Investigation, object_crowdsec_ip: dict
+ ):
+ ip = self.attr_misp_to_yeti(
+ invest,
+ object_crowdsec_ip["ip"],
+ description=f"misp {self.misp_event['Orgc']['name']} CrowdSec",
+ )
+
as_num = object_crowdsec_ip.get("as_num")
if as_num:
asn = self.attr_misp_to_yeti(invest, as_num)
ip.link_to(asn, "part_of", "asn")
-
+
context = {}
attack_details = object_crowdsec_ip.get("attack-details")
if attack_details:
context["attack-details"] = attack_details
-
+
background_noise = object_crowdsec_ip.get("background-noise")
if background_noise:
context["background-noise"] = background_noise
-
+
behaviors = object_crowdsec_ip.get("behaviors")
if behaviors:
context["behaviors"] = behaviors
@@ -207,20 +218,26 @@ def __import_crowdsec_ip_context(self, invest: entity.Investigation, object_crow
city = object_crowdsec_ip.get("city")
country = object_crowdsec_ip.get("country")
country_code = object_crowdsec_ip.get("country_code")
-
+
if city or country or country_code:
if city:
- location = entity.Location(name=city,city=city).save()
+ location = entity.Location(name=city, city=city).save()
if country:
- location = entity.Location(name=country,country=country).save()
+ location = entity.Location(name=country, country=country).save()
location.set_country_code_by_name(country)
if country_code:
country_name = pycountry.countries.get(alpha_2=country_code).name
- location = entity.Location(name=country_name,country=country_name).save()
+ location = entity.Location(
+ name=country_name, country=country_name
+ ).save()
if location:
ip.link_to(location, "located_at", "location")
- invest.link_to(location, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+ invest.link_to(
+ location,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']} CrowdSec",
+ )
dst_port = object_crowdsec_ip.get("dst-port")
if dst_port:
context["dst_port"] = dst_port
@@ -228,42 +245,55 @@ def __import_crowdsec_ip_context(self, invest: entity.Investigation, object_crow
ip_range_scope = object_crowdsec_ip.get("ip-range-scope")
if ip_range_scope:
context["ip-range-scope"] = ip_range_scope
-
+
trust = object_crowdsec_ip.get("trust")
if trust:
context["trust"] = trust
-
+
ip_range = object_crowdsec_ip.get("ip-range")
if ip_range:
- cidr_obs = observable.cidr.CIDR(value=ip_range).save() # type: ignore
+ cidr_obs = observable.cidr.CIDR(value=ip_range).save() # type: ignore
ip.link_to(cidr_obs, "part_of", "subnet")
- invest.link_to(cidr_obs, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+ invest.link_to(
+ cidr_obs,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']} CrowdSec",
+ )
ip.add_context(f"misp {self.misp_event['Orgc']['name']} CrowdSec", context)
reverse_dns = object_crowdsec_ip.get("reverse_dns")
if reverse_dns:
- hostname = self.attr_misp_to_yeti(invest, reverse_dns,description=f"misp {self.misp_event['Orgc']['name']} CrowdSec")
+ hostname = self.attr_misp_to_yeti(
+ invest,
+ reverse_dns,
+ description=f"misp {self.misp_event['Orgc']['name']} CrowdSec",
+ )
ip.link_to(hostname, "resolved_to", "hostname")
-
- def __import_commande_line(self, invest: entity.Investigation, object_command_line: dict):
- cmd_line = object_command_line["value"]
- cmd_line = observable.command_line.CommandLine(value=cmd_line).save()
-
- description = object_command_line.get("description")
- context = {}
- if description:
- context["description"] = description
- if context:
- cmd_line.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
- invest.link_to(cmd_line, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}")
-
+
+ def __import_commande_line(
+ self, invest: entity.Investigation, object_command_line: dict
+ ):
+ cmd_line = object_command_line["value"]
+ cmd_line = observable.command_line.CommandLine(value=cmd_line).save()
+
+ description = object_command_line.get("description")
+ context = {}
+ if description:
+ context["description"] = description
+ if context:
+ cmd_line.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+ invest.link_to(
+ cmd_line, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
+
def __import_cookie(self, invest: entity.Investigation, object_cookie: dict):
-
- name = object_cookie['name']
-
- cookie_attr = object_cookie['cookie']
- cookie = self.attr_misp_to_yeti(invest, cookie_attr,description=f"misp {self.misp_event['Orgc']['name']}")
+ name = object_cookie["name"]
+
+ cookie_attr = object_cookie["cookie"]
+ cookie = self.attr_misp_to_yeti(
+ invest, cookie_attr, description=f"misp {self.misp_event['Orgc']['name']}"
+ )
cookie.name = name
https_only = object_cookie.get("http-only")
if https_only:
@@ -279,11 +309,25 @@ def __import_cookie(self, invest: entity.Investigation, object_cookie: dict):
cookie.expires = dateparser.parse(expires)
cookie.save()
- def __import_cs_beaconing(self, invest: entity.Investigation, object_cs_beaconing: dict):
+ def __import_cs_beaconing(
+ self, invest: entity.Investigation, object_cs_beaconing: dict
+ ):
cs_malware = entity.Malware(name="Cobalt Strike").save()
- sha256_obs = self.attr_misp_to_yeti(invest, object_cs_beaconing['sha256'], description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
- sha1_obs = self.attr_misp_to_yeti(invest, object_cs_beaconing['sha1'], description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
- md5_obs = self.attr_misp_to_yeti(invest, object_cs_beaconing['md5'], description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ sha256_obs = self.attr_misp_to_yeti(
+ invest,
+ object_cs_beaconing["sha256"],
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ sha1_obs = self.attr_misp_to_yeti(
+ invest,
+ object_cs_beaconing["sha1"],
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ md5_obs = self.attr_misp_to_yeti(
+ invest,
+ object_cs_beaconing["md5"],
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
file_cs = observable.file.File(value=f"FILE:{sha256_obs}").save()
file_cs.md5 = md5_obs.value
file_cs.sha1 = sha1_obs.value
@@ -298,7 +342,7 @@ def __import_cs_beaconing(self, invest: entity.Investigation, object_cs_beaconin
invest.link_to(
cs_malware, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
)
- asn = self.attr_misp_to_yeti(invest, object_cs_beaconing['asn'])
+ asn = self.attr_misp_to_yeti(invest, object_cs_beaconing["asn"])
cs_malware.link_to(asn, "part_of", "asn")
geo = object_cs_beaconing.get("geo")
@@ -307,17 +351,27 @@ def __import_cs_beaconing(self, invest: entity.Investigation, object_cs_beaconin
country = entity.Location(name=geo, country=geo)
country.set_country_code_by_name(country.name)
country.save()
- invest.link_to(country, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ invest.link_to(
+ country,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
c2_url = filter(lambda x: x["type"] == "c2", object_cs_beaconing["Attribute"])
for url in c2_url:
- obs_yeti = self.attr_misp_to_yeti(invest, url, description=f"misp {self.misp_event['Orgc']['name']}")
+ obs_yeti = self.attr_misp_to_yeti(
+ invest, url, description=f"misp {self.misp_event['Orgc']['name']}"
+ )
obs_yeti.link_to(asn, "part_of", "asn")
cs_malware.link_to(obs_yeti, "downloaded", "c2")
-
- ips = filter(lambda x: x["type"] == "ip", object_cs_beaconing["Attribute"])
+
+ ips = filter(lambda x: x["type"] == "ip", object_cs_beaconing["Attribute"])
for ip_value in ips:
- ip = self.attr_misp_to_yeti(invest, ip_value, description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ ip = self.attr_misp_to_yeti(
+ invest,
+ ip_value,
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
ip.link_to(asn, "part_of", "asn")
if country:
ip.link_to(country, "located_at", "location")
@@ -325,23 +379,29 @@ def __import_cs_beaconing(self, invest: entity.Investigation, object_cs_beaconin
city = object_cs_beaconing.get("city")
if city:
- location = entity.Location(name=city,city=city).save()
+ location = entity.Location(name=city, city=city).save()
ip.link_to(location, "located_at", "location")
- invest.link_to(location, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
-
- jar_md5= object_cs_beaconing["jar-md5"]
- app_c2 = self.attr_misp_to_yeti(invest, jar_md5, description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
+ invest.link_to(
+ location,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+
+ jar_md5 = object_cs_beaconing["jar-md5"]
+ app_c2 = self.attr_misp_to_yeti(
+ invest,
+ jar_md5,
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
cs_malware.link_to(app_c2, "jar-md5", "MD5 of adversary cobaltstrike.jar file")
watermark = object_cs_beaconing.get("watermark")
watermark_yeti = None
if watermark:
- watermark_yeti = self.attr_misp_to_yeti(invest, watermark, description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing")
- watermark_yeti.link_to(app_c2, "watermarked", "watermark")
+ watermark_yeti = self.attr_misp_to_yeti(
+ invest,
+ watermark,
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ watermark_yeti.link_to(app_c2, "watermarked", "watermark")
cs_malware.link_to(watermark_yeti, "watermarked", "watermark")
-
-
-
-
-
-
diff --git a/core/schemas/observables/cookie.py b/core/schemas/observables/cookie.py
index 65b307dab..0dd6ba66e 100644
--- a/core/schemas/observables/cookie.py
+++ b/core/schemas/observables/cookie.py
@@ -22,4 +22,5 @@ class Cookie(observable.Observable):
name: Optional[str] = None
cookie: Optional[str] = None
+
observable.TYPE_MAPPING[observable.ObservableType.cookie] = Cookie
diff --git a/core/schemas/observables/jarm.py b/core/schemas/observables/jarm.py
index 8129ebf2e..06f478dcf 100644
--- a/core/schemas/observables/jarm.py
+++ b/core/schemas/observables/jarm.py
@@ -11,4 +11,5 @@ class Jarm(observable.Observable):
type: Literal[observable.ObservableType.jarm] = observable.ObservableType.jarm
+
observable.TYPE_MAPPING[observable.ObservableType.jarm] = Jarm
From f47cecc7504faf955a51b04bf4f9858cbe6eb34b Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:42:05 +0100
Subject: [PATCH 18/69] ruff
---
core/schemas/indicator.py | 2 ++
core/web/apiv2/import_data.py | 1 -
tests/schemas/entity.py | 3 +--
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/core/schemas/indicator.py b/core/schemas/indicator.py
index d179963bf..b2a770716 100644
--- a/core/schemas/indicator.py
+++ b/core/schemas/indicator.py
@@ -274,6 +274,7 @@ def save_indicators(self, create_links: bool = False):
self.link_to(indicator, "uses", f"Uses regex {indicator.name}")
return indicators
+
class av_signature(Indicator):
_type_filter: ClassVar[str] = IndicatorType.av_signature
type: Literal[IndicatorType.av_signature] = IndicatorType.av_signature
@@ -282,6 +283,7 @@ class av_signature(Indicator):
def match(self, value: str) -> IndicatorMatch | None:
raise NotImplementedError
+
ARTIFACT_INTERPOLATION_RE = re.compile(r"%%[a-z._]+%%")
TYPE_MAPPING = {
diff --git a/core/web/apiv2/import_data.py b/core/web/apiv2/import_data.py
index 1bb09be3b..4c8417ca6 100644
--- a/core/web/apiv2/import_data.py
+++ b/core/web/apiv2/import_data.py
@@ -1,4 +1,3 @@
-
import json
from fastapi import APIRouter, File, UploadFile
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index ef958fd37..7a8de4524 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -136,10 +136,9 @@ def test_bad_cve_name(self):
def test_correct_cve_name(self):
vulnerability = Vulnerability(name="CVE-1337-4242").save()
self.assertEqual(Vulnerability.is_valid(vulnerability), True)
-
+
def test_location(self):
location = Location(name="France").save()
location.set_country_code_by_name(location.name)
self.assertEqual(location.name, "France")
self.assertEqual(location.country_code, "FR")
-
From 867d254ef74b456e1867a3a48a877338648fc816 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:43:40 +0100
Subject: [PATCH 19/69] Update pyproject.toml
---
pyproject.toml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pyproject.toml b/pyproject.toml
index b3725ef06..8ffed9c90 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -53,6 +53,6 @@ build-backend = "poetry.core.masonry.api"
[tool.ruff]
# Enable the isort rules.
-extend-select = ["I"]
+lint.extend-select = ["I"]
# exclude files in the /deprecated/ directories
exclude = ["deprecated"]
From a521dc188da3cdaaaf034932b8368d71b842b0cc Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:51:20 +0100
Subject: [PATCH 20/69] ruff linting
---
core/common/utils.py | 6 +++---
core/database_arango.py | 1 +
core/schemas/observables/certificate.py | 4 ++--
core/schemas/observables/command_line.py | 4 ++--
core/schemas/observables/docker_image.py | 4 ++--
core/schemas/observables/hostname.py | 4 ++--
core/schemas/observables/mac_address.py | 4 ++--
core/schemas/observables/named_pipe.py | 4 ++--
core/schemas/observables/registry_key.py | 4 ++--
core/schemas/observables/user_account.py | 4 ++--
core/schemas/observables/user_agent.py | 4 ++--
plugins/feeds/public/abuseipdb.py | 6 +++---
plugins/feeds/public/azorult-tracker.py | 1 +
plugins/feeds/public/cisa_kev.py | 12 ++++++------
plugins/feeds/public/cisco_umbrella_top_domains.py | 6 +++---
plugins/feeds/public/cruzit.py | 6 +++---
plugins/feeds/public/dataplane_dnsversion.py | 3 ++-
plugins/feeds/public/dataplane_proto41.py | 3 ++-
plugins/feeds/public/dataplane_sipinvite.py | 3 ++-
plugins/feeds/public/dataplane_sipquery.py | 3 ++-
plugins/feeds/public/dataplane_sipregistr.py | 3 ++-
plugins/feeds/public/dataplane_smtpdata.py | 3 ++-
plugins/feeds/public/dataplane_smtpgreet.py | 3 ++-
plugins/feeds/public/dataplane_sshclient.py | 3 ++-
plugins/feeds/public/dataplane_sshpwauth.py | 3 ++-
plugins/feeds/public/dataplane_telnetlogin.py | 3 ++-
plugins/feeds/public/dataplane_vnc.py | 3 ++-
plugins/feeds/public/miningpoolstats.py | 6 +++---
plugins/feeds/public/phishing_database.py | 6 +++---
plugins/feeds/public/rulezskbruteforceblocker.py | 6 +++---
plugins/feeds/public/threatview_c2.py | 6 +++---
tests/apiv2/templates.py | 12 ++++++------
32 files changed, 78 insertions(+), 65 deletions(-)
diff --git a/core/common/utils.py b/core/common/utils.py
index 28d81c447..a0010274c 100644
--- a/core/common/utils.py
+++ b/core/common/utils.py
@@ -14,9 +14,9 @@
if hasattr(yeti_config, "tldextract"):
if yeti_config.tldextract.extra_suffixes:
- tld_extract_dict[
- "extra_suffixes"
- ] = yeti_config.tldextract.extra_suffixes.split(",")
+ tld_extract_dict["extra_suffixes"] = (
+ yeti_config.tldextract.extra_suffixes.split(",")
+ )
if yeti_config.tldextract.suffix_list_urls:
tld_extract_dict["suffix_list_urls"] = yeti_config.tldextract.suffix_list_urls
diff --git a/core/database_arango.py b/core/database_arango.py
index ac1219748..7b06cf61f 100644
--- a/core/database_arango.py
+++ b/core/database_arango.py
@@ -1,4 +1,5 @@
"""Class implementing a YetiConnector interface for ArangoDB."""
+
import datetime
import json
import logging
diff --git a/core/schemas/observables/certificate.py b/core/schemas/observables/certificate.py
index a8d8b7618..1e2127ab7 100644
--- a/core/schemas/observables/certificate.py
+++ b/core/schemas/observables/certificate.py
@@ -22,9 +22,9 @@ class Certificate(observable.Observable):
fingerprint: the certificate fingerprint.
"""
- type: Literal[
+ type: Literal[observable.ObservableType.certificate] = (
observable.ObservableType.certificate
- ] = observable.ObservableType.certificate
+ )
last_seen: datetime.datetime = Field(default_factory=now)
first_seen: datetime.datetime = Field(default_factory=now)
issuer: str | None = None
diff --git a/core/schemas/observables/command_line.py b/core/schemas/observables/command_line.py
index f1102ec64..b166eff27 100644
--- a/core/schemas/observables/command_line.py
+++ b/core/schemas/observables/command_line.py
@@ -4,9 +4,9 @@
class CommandLine(observable.Observable):
- type: Literal[
+ type: Literal[observable.ObservableType.command_line] = (
observable.ObservableType.command_line
- ] = observable.ObservableType.command_line
+ )
observable.TYPE_MAPPING[observable.ObservableType.command_line] = CommandLine
diff --git a/core/schemas/observables/docker_image.py b/core/schemas/observables/docker_image.py
index 55f16af81..bdc342793 100644
--- a/core/schemas/observables/docker_image.py
+++ b/core/schemas/observables/docker_image.py
@@ -4,9 +4,9 @@
class DockerImage(observable.Observable):
- type: Literal[
+ type: Literal[observable.ObservableType.docker_image] = (
observable.ObservableType.docker_image
- ] = observable.ObservableType.docker_image
+ )
observable.TYPE_MAPPING[observable.ObservableType.docker_image] = DockerImage
diff --git a/core/schemas/observables/hostname.py b/core/schemas/observables/hostname.py
index 2ccedc8e1..eae0cfffa 100644
--- a/core/schemas/observables/hostname.py
+++ b/core/schemas/observables/hostname.py
@@ -4,9 +4,9 @@
class Hostname(observable.Observable):
- type: Literal[
+ type: Literal[observable.ObservableType.hostname] = (
observable.ObservableType.hostname
- ] = observable.ObservableType.hostname
+ )
observable.TYPE_MAPPING[observable.ObservableType.hostname] = Hostname
diff --git a/core/schemas/observables/mac_address.py b/core/schemas/observables/mac_address.py
index 7da5d4e00..97c4fd018 100644
--- a/core/schemas/observables/mac_address.py
+++ b/core/schemas/observables/mac_address.py
@@ -4,9 +4,9 @@
class MacAddress(observable.Observable):
- type: Literal[
+ type: Literal[observable.ObservableType.mac_address] = (
observable.ObservableType.mac_address
- ] = observable.ObservableType.mac_address
+ )
observable.TYPE_MAPPING[observable.ObservableType.mac_address] = MacAddress
diff --git a/core/schemas/observables/named_pipe.py b/core/schemas/observables/named_pipe.py
index b7ea68aff..e75165386 100644
--- a/core/schemas/observables/named_pipe.py
+++ b/core/schemas/observables/named_pipe.py
@@ -4,9 +4,9 @@
class NamedPipe(observable.Observable):
- type: Literal[
+ type: Literal[observable.ObservableType.named_pipe] = (
observable.ObservableType.named_pipe
- ] = observable.ObservableType.named_pipe
+ )
observable.TYPE_MAPPING[observable.ObservableType.named_pipe] = NamedPipe
diff --git a/core/schemas/observables/registry_key.py b/core/schemas/observables/registry_key.py
index cca622301..29298bc49 100644
--- a/core/schemas/observables/registry_key.py
+++ b/core/schemas/observables/registry_key.py
@@ -26,9 +26,9 @@ class RegistryKey(observable.Observable):
path_file: The filesystem path to the file that contains the registry key value.
"""
- type: Literal[
+ type: Literal[observable.ObservableType.registry_key] = (
observable.ObservableType.registry_key
- ] = observable.ObservableType.registry_key
+ )
key: str
data: bytes
hive: RegistryHive
diff --git a/core/schemas/observables/user_account.py b/core/schemas/observables/user_account.py
index a208df721..fa8d172d7 100644
--- a/core/schemas/observables/user_account.py
+++ b/core/schemas/observables/user_account.py
@@ -14,9 +14,9 @@ class UserAccount(observable.Observable):
Value should to be in the form <ACCOUNT_TYPE>:<ACCOUNT_LOGIN>.
"""
- type: Literal[
+ type: Literal[observable.ObservableType.user_account] = (
observable.ObservableType.user_account
- ] = observable.ObservableType.user_account
+ )
user_id: str | None = None
credential: str | None = None
account_login: str | None = None
diff --git a/core/schemas/observables/user_agent.py b/core/schemas/observables/user_agent.py
index 8bb37a760..b1d163c83 100644
--- a/core/schemas/observables/user_agent.py
+++ b/core/schemas/observables/user_agent.py
@@ -4,9 +4,9 @@
class UserAgent(observable.Observable):
- type: Literal[
+ type: Literal[observable.ObservableType.user_agent] = (
observable.ObservableType.user_agent
- ] = observable.ObservableType.user_agent
+ )
observable.TYPE_MAPPING[observable.ObservableType.user_agent] = UserAgent
diff --git a/plugins/feeds/public/abuseipdb.py b/plugins/feeds/public/abuseipdb.py
index 374f785a5..56a0fb0c9 100644
--- a/plugins/feeds/public/abuseipdb.py
+++ b/plugins/feeds/public/abuseipdb.py
@@ -9,9 +9,9 @@
class AbuseIPDB(task.FeedTask):
- _SOURCE: ClassVar[
- "str"
- ] = "https://api.abuseipdb.com/api/v2/blacklist?&key=%s&plaintext&limit=10000"
+ _SOURCE: ClassVar["str"] = (
+ "https://api.abuseipdb.com/api/v2/blacklist?&key=%s&plaintext&limit=10000"
+ )
_defaults = {
"frequency": timedelta(hours=5),
"name": "AbuseIPDB",
diff --git a/plugins/feeds/public/azorult-tracker.py b/plugins/feeds/public/azorult-tracker.py
index 68c459062..9dce6240c 100644
--- a/plugins/feeds/public/azorult-tracker.py
+++ b/plugins/feeds/public/azorult-tracker.py
@@ -1,4 +1,5 @@
"""Azorult Tracker feeds"""
+
import logging
from datetime import datetime, timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/cisa_kev.py b/plugins/feeds/public/cisa_kev.py
index d218816aa..0db462a15 100644
--- a/plugins/feeds/public/cisa_kev.py
+++ b/plugins/feeds/public/cisa_kev.py
@@ -41,12 +41,12 @@ class CisaKEV(task.FeedTask):
"source": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
}
- CISA_SOURCE: ClassVar[
- "str"
- ] = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
- NVD_SOURCE: ClassVar[
- "str"
- ] = "https://services.nvd.nist.gov/rest/json/cves/2.0?hasKev"
+ CISA_SOURCE: ClassVar["str"] = (
+ "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
+ )
+ NVD_SOURCE: ClassVar["str"] = (
+ "https://services.nvd.nist.gov/rest/json/cves/2.0?hasKev"
+ )
def run(self):
response = self._make_request(self.CISA_SOURCE, sort=False)
diff --git a/plugins/feeds/public/cisco_umbrella_top_domains.py b/plugins/feeds/public/cisco_umbrella_top_domains.py
index d69251613..79512c269 100644
--- a/plugins/feeds/public/cisco_umbrella_top_domains.py
+++ b/plugins/feeds/public/cisco_umbrella_top_domains.py
@@ -14,9 +14,9 @@ class CiscoUmbrellaTopDomains(task.FeedTask):
"name": "CloudflareTopDomains",
"description": "Import Cloudflare top domains",
}
- _SOURCE: ClassVar[
- "str"
- ] = "http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"
+ _SOURCE: ClassVar["str"] = (
+ "http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"
+ )
def run(self):
top_domains = yeti_config.get("umbrella", "top_domains", 10000)
diff --git a/plugins/feeds/public/cruzit.py b/plugins/feeds/public/cruzit.py
index 1d38d2dcc..bcc36f785 100644
--- a/plugins/feeds/public/cruzit.py
+++ b/plugins/feeds/public/cruzit.py
@@ -8,9 +8,9 @@
class Cruzit(task.FeedTask):
- _SOURCE: ClassVar[
- "str"
- ] = "https://iplists.firehol.org/files/cruzit_web_attacks.ipset"
+ _SOURCE: ClassVar["str"] = (
+ "https://iplists.firehol.org/files/cruzit_web_attacks.ipset"
+ )
_defaults = {
"frequency": timedelta(hours=1),
diff --git a/plugins/feeds/public/dataplane_dnsversion.py b/plugins/feeds/public/dataplane_dnsversion.py
index 1ac1886e8..922b2ddf9 100644
--- a/plugins/feeds/public/dataplane_dnsversion.py
+++ b/plugins/feeds/public/dataplane_dnsversion.py
@@ -1,6 +1,7 @@
"""
- Feed DNS Version IPs with ASN
+Feed DNS Version IPs with ASN
"""
+
import logging
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_proto41.py b/plugins/feeds/public/dataplane_proto41.py
index 8b464d8fd..9f9e5bb31 100644
--- a/plugins/feeds/public/dataplane_proto41.py
+++ b/plugins/feeds/public/dataplane_proto41.py
@@ -1,6 +1,7 @@
"""
- Feed DataplaneProto41: IPs from DataplaneProto41
+Feed DataplaneProto41: IPs from DataplaneProto41
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_sipinvite.py b/plugins/feeds/public/dataplane_sipinvite.py
index 7ed34d3c6..f8262400c 100644
--- a/plugins/feeds/public/dataplane_sipinvite.py
+++ b/plugins/feeds/public/dataplane_sipinvite.py
@@ -1,6 +1,7 @@
"""
- Feed of SIP INVITE attacks from Dataplane IPs and their Autonomous Systems
+Feed of SIP INVITE attacks from Dataplane IPs and their Autonomous Systems
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_sipquery.py b/plugins/feeds/public/dataplane_sipquery.py
index 1e4645e94..c336bc0fb 100644
--- a/plugins/feeds/public/dataplane_sipquery.py
+++ b/plugins/feeds/public/dataplane_sipquery.py
@@ -1,6 +1,7 @@
"""
- Feed of SIPs from Dataplane with IPs and ASNs
+Feed of SIPs from Dataplane with IPs and ASNs
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_sipregistr.py b/plugins/feeds/public/dataplane_sipregistr.py
index 8b268c82f..7feadcf7b 100644
--- a/plugins/feeds/public/dataplane_sipregistr.py
+++ b/plugins/feeds/public/dataplane_sipregistr.py
@@ -1,6 +1,7 @@
"""
- Feed of SIP registr with IPs and ASNs
+Feed of SIP registr with IPs and ASNs
"""
+
import logging
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_smtpdata.py b/plugins/feeds/public/dataplane_smtpdata.py
index 5e091e5f4..d638e57c9 100644
--- a/plugins/feeds/public/dataplane_smtpdata.py
+++ b/plugins/feeds/public/dataplane_smtpdata.py
@@ -1,6 +1,7 @@
"""
- Feeds SMTP data from Dataplane with IPs and ASNs
+Feeds SMTP data from Dataplane with IPs and ASNs
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_smtpgreet.py b/plugins/feeds/public/dataplane_smtpgreet.py
index a3e0134ad..965451d54 100644
--- a/plugins/feeds/public/dataplane_smtpgreet.py
+++ b/plugins/feeds/public/dataplane_smtpgreet.py
@@ -1,6 +1,7 @@
"""
- Feed of SMTP greetings from dataplane with IPs and ASN
+Feed of SMTP greetings from dataplane with IPs and ASN
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_sshclient.py b/plugins/feeds/public/dataplane_sshclient.py
index 382bd1db4..1626ad803 100644
--- a/plugins/feeds/public/dataplane_sshclient.py
+++ b/plugins/feeds/public/dataplane_sshclient.py
@@ -1,6 +1,7 @@
"""
- Feed of ssh client bruteforce of Dataplane with IPs and ASNs
+Feed of ssh client bruteforce of Dataplane with IPs and ASNs
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_sshpwauth.py b/plugins/feeds/public/dataplane_sshpwauth.py
index 98357763b..84d3e08de 100644
--- a/plugins/feeds/public/dataplane_sshpwauth.py
+++ b/plugins/feeds/public/dataplane_sshpwauth.py
@@ -1,6 +1,7 @@
"""
- Feed of Dataplane SSH bruteforce IPs and ASNs
+Feed of Dataplane SSH bruteforce IPs and ASNs
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_telnetlogin.py b/plugins/feeds/public/dataplane_telnetlogin.py
index 241c8e0ea..297619030 100644
--- a/plugins/feeds/public/dataplane_telnetlogin.py
+++ b/plugins/feeds/public/dataplane_telnetlogin.py
@@ -1,6 +1,7 @@
"""
- Feed of Dataplane SSH bruteforce IPs and ASNs
+Feed of Dataplane SSH bruteforce IPs and ASNs
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/dataplane_vnc.py b/plugins/feeds/public/dataplane_vnc.py
index 95a1e141b..13f4f097a 100644
--- a/plugins/feeds/public/dataplane_vnc.py
+++ b/plugins/feeds/public/dataplane_vnc.py
@@ -1,6 +1,7 @@
"""
- Feed of Dataplane SSH bruteforce IPs and ASNs
+Feed of Dataplane SSH bruteforce IPs and ASNs
"""
+
from datetime import timedelta
from typing import ClassVar
diff --git a/plugins/feeds/public/miningpoolstats.py b/plugins/feeds/public/miningpoolstats.py
index 52a9e65ce..2b1e5ecff 100644
--- a/plugins/feeds/public/miningpoolstats.py
+++ b/plugins/feeds/public/miningpoolstats.py
@@ -19,9 +19,9 @@ class MiningPoolStats(task.FeedTask):
}
_SOURCE: ClassVar["str"] = "https://miningpoolstats.stream"
- _USER_AGENT: ClassVar[
- "str"
- ] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
+ _USER_AGENT: ClassVar["str"] = (
+ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
+ )
def run(self):
self._session = requests.Session()
diff --git a/plugins/feeds/public/phishing_database.py b/plugins/feeds/public/phishing_database.py
index 931243bab..593564d8c 100644
--- a/plugins/feeds/public/phishing_database.py
+++ b/plugins/feeds/public/phishing_database.py
@@ -18,9 +18,9 @@ class PhishingDatabase(task.FeedTask):
"description": "PhishingDatabase is a community feed of phishing URLs which are updated every 24 hours.",
}
- _SOURCE: ClassVar[
- "str"
- ] = "https://phishing.army/download/phishing_army_blocklist_extended.txt"
+ _SOURCE: ClassVar["str"] = (
+ "https://phishing.army/download/phishing_army_blocklist_extended.txt"
+ )
def run(self):
response = self._make_request(self._SOURCE)
diff --git a/plugins/feeds/public/rulezskbruteforceblocker.py b/plugins/feeds/public/rulezskbruteforceblocker.py
index 156c6f3e2..be8755f51 100644
--- a/plugins/feeds/public/rulezskbruteforceblocker.py
+++ b/plugins/feeds/public/rulezskbruteforceblocker.py
@@ -16,9 +16,9 @@ class RulezSKBruteforceBlocker(task.FeedTask):
"description": "This feed contains daily list of IPs from rules.sk",
}
- _SOURCE: ClassVar[
- "str"
- ] = "http://danger.rulez.sk/projects/bruteforceblocker/blist.php"
+ _SOURCE: ClassVar["str"] = (
+ "http://danger.rulez.sk/projects/bruteforceblocker/blist.php"
+ )
def run(self):
r = self._make_request(self._SOURCE, headers={"User-Agent": "yeti-project"})
diff --git a/plugins/feeds/public/threatview_c2.py b/plugins/feeds/public/threatview_c2.py
index eec966ab7..4728f3433 100644
--- a/plugins/feeds/public/threatview_c2.py
+++ b/plugins/feeds/public/threatview_c2.py
@@ -13,9 +13,9 @@ class ThreatviewC2(task.FeedTask):
"description": "This feed contains Cobalt Strike C2 IPs and Hostnames",
}
- _SOURCE: ClassVar[
- "str"
- ] = "https://threatview.io/Downloads/High-Confidence-CobaltstrikeC2_IP_feed.txt"
+ _SOURCE: ClassVar["str"] = (
+ "https://threatview.io/Downloads/High-Confidence-CobaltstrikeC2_IP_feed.txt"
+ )
def run(self):
response = self._make_request(self._SOURCE, sort=False)
diff --git a/tests/apiv2/templates.py b/tests/apiv2/templates.py
index e1db94b4c..d5e9e2c4a 100644
--- a/tests/apiv2/templates.py
+++ b/tests/apiv2/templates.py
@@ -90,9 +90,9 @@ def test_render_template_by_id(self):
},
)
data = response.text
- response.headers[
- "Content-Disposition"
- ] = "attachment; filename=FakeTemplate.txt"
+ response.headers["Content-Disposition"] = (
+ "attachment; filename=FakeTemplate.txt"
+ )
self.assertEqual(response.status_code, 200, data)
self.assertEqual(data, "<blah>\n1.1.1.1\n2.2.2.2\n3.3.3.3\n\n</blah>\n")
@@ -106,8 +106,8 @@ def test_render_template_by_search(self):
json={"template_id": self.template.id, "search_query": "yeti"},
)
data = response.text
- response.headers[
- "Content-Disposition"
- ] = "attachment; filename=FakeTemplate.txt"
+ response.headers["Content-Disposition"] = (
+ "attachment; filename=FakeTemplate.txt"
+ )
self.assertEqual(response.status_code, 200, data)
self.assertEqual(data, "<blah>\nyeti1.com\nyeti2.com\nyeti3.com\n\n</blah>\n")
From 8b22aa5f766791755906721d14b3275d939b6ae2 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:54:34 +0100
Subject: [PATCH 21/69] fix test
---
tests/schemas/entity.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index 7a8de4524..0970281e2 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -141,4 +141,4 @@ def test_location(self):
location = Location(name="France").save()
location.set_country_code_by_name(location.name)
self.assertEqual(location.name, "France")
- self.assertEqual(location.country_code, "FR")
+ self.assertEqual(location.country_code, 250)
From b898eeef24efb450636fd7b79f3f70f913d7b74f Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 16:58:20 +0100
Subject: [PATCH 22/69] Update entity.py
---
core/schemas/entity.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
index 140d71212..4cc254845 100644
--- a/core/schemas/entity.py
+++ b/core/schemas/entity.py
@@ -158,7 +158,7 @@ def set_country_name_by_code(self, code: int):
def set_country_code_by_name(self, name: str):
import pycountry
- self.country_code = pycountry.countries.get(name=name).numeric
+ self.country_code = int(pycountry.countries.get(name=name).numeric)
class SeverityType(str, Enum):
From 30f23a8fac623cc10f41f2c6e4a8b110b6fbcb53 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:05:27 +0100
Subject: [PATCH 23/69] fix tags
---
core/common/misp_to_yeti.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index c659dbee1..35b3d6502 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -51,6 +51,9 @@ def attr_misp_to_yeti(
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
+
+ if attribute['Tag']:
+ obs_yeti.tag([t["name"] for t in attribute["Tag"]])
invest.link_to(obs_yeti, "imported_by_misp", description)
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
@@ -90,7 +93,7 @@ def misp_to_yeti(self):
invest = entity.Investigation(name=self.misp_event["info"]).save()
if self.misp_event["Tag"]:
- invest.tag(self.misp_event["Tag"])
+ invest.tag([t['name'] for t in self.misp_event["Tag"]])
invest.description = (
f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
)
From 6a7f32e02fb82ecda3cee9d61c29019eb96db819 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:11:37 +0100
Subject: [PATCH 24/69] Update misp_to_yeti.py
---
core/common/misp_to_yeti.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 35b3d6502..3f3ce4379 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -51,8 +51,8 @@ def attr_misp_to_yeti(
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
-
- if attribute['Tag']:
+
+ if attribute["Tag"]:
obs_yeti.tag([t["name"] for t in attribute["Tag"]])
invest.link_to(obs_yeti, "imported_by_misp", description)
print(f"Attribute {attribute.get('value')} imported")
@@ -93,7 +93,7 @@ def misp_to_yeti(self):
invest = entity.Investigation(name=self.misp_event["info"]).save()
if self.misp_event["Tag"]:
- invest.tag([t['name'] for t in self.misp_event["Tag"]])
+ invest.tag([t["name"] for t in self.misp_event["Tag"]])
invest.description = (
f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
)
From a262fd86344fe3b3f9390254e24c574d402eda63 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:14:28 +0100
Subject: [PATCH 25/69] update
---
poetry.lock | 158 +---------------------------------------------------
1 file changed, 1 insertion(+), 157 deletions(-)
diff --git a/poetry.lock b/poetry.lock
index 4bf2241da..7f10a815f 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
[[package]]
name = "altair"
@@ -623,28 +623,6 @@ ssh = ["bcrypt (>=3.1.5)"]
test = ["pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
test-randomorder = ["pytest-randomly"]
-[[package]]
-name = "dateparser"
-version = "1.2.0"
-description = "Date parsing library designed to parse dates from HTML pages"
-optional = false
-python-versions = ">=3.7"
-files = [
- {file = "dateparser-1.2.0-py2.py3-none-any.whl", hash = "sha256:0b21ad96534e562920a0083e97fd45fa959882d4162acc358705144520a35830"},
- {file = "dateparser-1.2.0.tar.gz", hash = "sha256:7975b43a4222283e0ae15be7b4999d08c9a70e2d378ac87385b1ccf2cffbbb30"},
-]
-
-[package.dependencies]
-python-dateutil = "*"
-pytz = "*"
-regex = "<2019.02.19 || >2019.02.19,<2021.8.27 || >2021.8.27"
-tzlocal = "*"
-
-[package.extras]
-calendars = ["convertdate", "hijri-converter"]
-fasttext = ["fasttext"]
-langdetect = ["langdetect"]
-
[[package]]
name = "deprecated"
version = "1.2.14"
@@ -1540,17 +1518,6 @@ files = [
[package.dependencies]
pyasn1 = ">=0.4.6,<0.6.0"
-[[package]]
-name = "pycountry"
-version = "23.12.11"
-description = "ISO country, subdivision, language, currency and script definitions and their translations"
-optional = false
-python-versions = ">=3.8"
-files = [
- {file = "pycountry-23.12.11-py3-none-any.whl", hash = "sha256:2ff91cff4f40ff61086e773d61e72005fe95de4a57bfc765509db05695dc50ab"},
- {file = "pycountry-23.12.11.tar.gz", hash = "sha256:00569d82eaefbc6a490a311bfa84a9c571cff9ddbf8b0a4f4e7b4f868b4ad925"},
-]
-
[[package]]
name = "pycparser"
version = "2.21"
@@ -1954,108 +1921,6 @@ files = [
attrs = ">=22.2.0"
rpds-py = ">=0.7.0"
-[[package]]
-name = "regex"
-version = "2023.12.25"
-description = "Alternative regular expression module, to replace re."
-optional = false
-python-versions = ">=3.7"
-files = [
- {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5"},
- {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8"},
- {file = "regex-2023.12.25-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f"},
- {file = "regex-2023.12.25-cp310-cp310-win32.whl", hash = "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630"},
- {file = "regex-2023.12.25-cp310-cp310-win_amd64.whl", hash = "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105"},
- {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6"},
- {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97"},
- {file = "regex-2023.12.25-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4"},
- {file = "regex-2023.12.25-cp311-cp311-win32.whl", hash = "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87"},
- {file = "regex-2023.12.25-cp311-cp311-win_amd64.whl", hash = "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f"},
- {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715"},
- {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d"},
- {file = "regex-2023.12.25-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d"},
- {file = "regex-2023.12.25-cp312-cp312-win32.whl", hash = "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5"},
- {file = "regex-2023.12.25-cp312-cp312-win_amd64.whl", hash = "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232"},
- {file = "regex-2023.12.25-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39"},
- {file = "regex-2023.12.25-cp37-cp37m-win32.whl", hash = "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c"},
- {file = "regex-2023.12.25-cp37-cp37m-win_amd64.whl", hash = "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445"},
- {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53"},
- {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64"},
- {file = "regex-2023.12.25-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2"},
- {file = "regex-2023.12.25-cp38-cp38-win32.whl", hash = "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb"},
- {file = "regex-2023.12.25-cp38-cp38-win_amd64.whl", hash = "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697"},
- {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31"},
- {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7"},
- {file = "regex-2023.12.25-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20"},
- {file = "regex-2023.12.25-cp39-cp39-win32.whl", hash = "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9"},
- {file = "regex-2023.12.25-cp39-cp39-win_amd64.whl", hash = "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91"},
- {file = "regex-2023.12.25.tar.gz", hash = "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5"},
-]
-
[[package]]
name = "requests"
version = "2.31.0"
@@ -2485,23 +2350,6 @@ files = [
{file = "tzdata-2024.1.tar.gz", hash = "sha256:2674120f8d891909751c38abcdfd386ac0a5a1127954fbc332af6b5ceae07efd"},
]
-[[package]]
-name = "tzlocal"
-version = "5.2"
-description = "tzinfo object for the local timezone"
-optional = false
-python-versions = ">=3.8"
-files = [
- {file = "tzlocal-5.2-py3-none-any.whl", hash = "sha256:49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"},
- {file = "tzlocal-5.2.tar.gz", hash = "sha256:8d399205578f1a9342816409cc1e46a93ebd5755e39ea2d85334bea911bf0e6e"},
-]
-
-[package.dependencies]
-tzdata = {version = "*", markers = "platform_system == \"Windows\""}
-
-[package.extras]
-devenv = ["check-manifest", "pytest (>=4.3)", "pytest-cov", "pytest-mock (>=3.3)", "zest.releaser"]
-
[[package]]
name = "urllib3"
version = "2.2.1"
@@ -2690,8 +2538,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-
-content-hash = "d6f401844101f765f4b2ea40bc509f627eda1132b56364b09baff855deda7407"
-
content-hash = "feb357b7966cdc46d391a7cc680b816b047614277c9d37b4e30287504dc51b5b"
-
From 02071deab06767dab471bd7456445b3216aa560b Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:16:19 +0100
Subject: [PATCH 26/69] Update poetry.lock
---
poetry.lock | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 158 insertions(+), 6 deletions(-)
diff --git a/poetry.lock b/poetry.lock
index 7f10a815f..47e24c0b3 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.1 and should not be changed by hand.
[[package]]
name = "altair"
@@ -98,7 +98,7 @@ develop = false
type = "git"
url = "https://github.com/forensicartifacts/artifacts.git"
reference = "main"
-resolved_reference = "2449049ef7c3b2f06ed8dfab9862b8d168ce36db"
+resolved_reference = "b2757454ff039b525a1e98a4e09c421fb634b43a"
[[package]]
name = "astroid"
@@ -623,6 +623,28 @@ ssh = ["bcrypt (>=3.1.5)"]
test = ["pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
test-randomorder = ["pytest-randomly"]
+[[package]]
+name = "dateparser"
+version = "1.2.0"
+description = "Date parsing library designed to parse dates from HTML pages"
+optional = false
+python-versions = ">=3.7"
+files = [
+ {file = "dateparser-1.2.0-py2.py3-none-any.whl", hash = "sha256:0b21ad96534e562920a0083e97fd45fa959882d4162acc358705144520a35830"},
+ {file = "dateparser-1.2.0.tar.gz", hash = "sha256:7975b43a4222283e0ae15be7b4999d08c9a70e2d378ac87385b1ccf2cffbbb30"},
+]
+
+[package.dependencies]
+python-dateutil = "*"
+pytz = "*"
+regex = "<2019.02.19 || >2019.02.19,<2021.8.27 || >2021.8.27"
+tzlocal = "*"
+
+[package.extras]
+calendars = ["convertdate", "hijri-converter"]
+fasttext = ["fasttext"]
+langdetect = ["langdetect"]
+
[[package]]
name = "deprecated"
version = "1.2.14"
@@ -1480,13 +1502,13 @@ wcwidth = "*"
[[package]]
name = "publicsuffixlist"
-version = "0.10.0.20240303"
+version = "0.10.0.20240305"
description = "publicsuffixlist implement"
optional = false
python-versions = ">=2.6"
files = [
- {file = "publicsuffixlist-0.10.0.20240303-py2.py3-none-any.whl", hash = "sha256:58b11e02df9f06e6f535a7d7fa107491f6a66b5c115f3b392ee154fcb6278598"},
- {file = "publicsuffixlist-0.10.0.20240303.tar.gz", hash = "sha256:9f30dcd5c2b3dbd3882c89a7ba1e5f0434c9e48b118e585c74659f339208ab3a"},
+ {file = "publicsuffixlist-0.10.0.20240305-py2.py3-none-any.whl", hash = "sha256:f6869119f8781501c0c625e59b4b65eb60e2ed5185cfd6c142c792f74ac47c21"},
+ {file = "publicsuffixlist-0.10.0.20240305.tar.gz", hash = "sha256:6e79ea73b0278ce1b102f3ad6815f2a5b683864da9948ba0b0eab3180c419f7f"},
]
[package.extras]
@@ -1518,6 +1540,17 @@ files = [
[package.dependencies]
pyasn1 = ">=0.4.6,<0.6.0"
+[[package]]
+name = "pycountry"
+version = "23.12.11"
+description = "ISO country, subdivision, language, currency and script definitions and their translations"
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "pycountry-23.12.11-py3-none-any.whl", hash = "sha256:2ff91cff4f40ff61086e773d61e72005fe95de4a57bfc765509db05695dc50ab"},
+ {file = "pycountry-23.12.11.tar.gz", hash = "sha256:00569d82eaefbc6a490a311bfa84a9c571cff9ddbf8b0a4f4e7b4f868b4ad925"},
+]
+
[[package]]
name = "pycparser"
version = "2.21"
@@ -1921,6 +1954,108 @@ files = [
attrs = ">=22.2.0"
rpds-py = ">=0.7.0"
+[[package]]
+name = "regex"
+version = "2023.12.25"
+description = "Alternative regular expression module, to replace re."
+optional = false
+python-versions = ">=3.7"
+files = [
+ {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5"},
+ {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8"},
+ {file = "regex-2023.12.25-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f"},
+ {file = "regex-2023.12.25-cp310-cp310-win32.whl", hash = "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630"},
+ {file = "regex-2023.12.25-cp310-cp310-win_amd64.whl", hash = "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4"},
+ {file = "regex-2023.12.25-cp311-cp311-win32.whl", hash = "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87"},
+ {file = "regex-2023.12.25-cp311-cp311-win_amd64.whl", hash = "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d"},
+ {file = "regex-2023.12.25-cp312-cp312-win32.whl", hash = "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5"},
+ {file = "regex-2023.12.25-cp312-cp312-win_amd64.whl", hash = "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232"},
+ {file = "regex-2023.12.25-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39"},
+ {file = "regex-2023.12.25-cp37-cp37m-win32.whl", hash = "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c"},
+ {file = "regex-2023.12.25-cp37-cp37m-win_amd64.whl", hash = "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2"},
+ {file = "regex-2023.12.25-cp38-cp38-win32.whl", hash = "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb"},
+ {file = "regex-2023.12.25-cp38-cp38-win_amd64.whl", hash = "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20"},
+ {file = "regex-2023.12.25-cp39-cp39-win32.whl", hash = "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9"},
+ {file = "regex-2023.12.25-cp39-cp39-win_amd64.whl", hash = "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91"},
+ {file = "regex-2023.12.25.tar.gz", hash = "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5"},
+]
+
[[package]]
name = "requests"
version = "2.31.0"
@@ -2350,6 +2485,23 @@ files = [
{file = "tzdata-2024.1.tar.gz", hash = "sha256:2674120f8d891909751c38abcdfd386ac0a5a1127954fbc332af6b5ceae07efd"},
]
+[[package]]
+name = "tzlocal"
+version = "5.2"
+description = "tzinfo object for the local timezone"
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "tzlocal-5.2-py3-none-any.whl", hash = "sha256:49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"},
+ {file = "tzlocal-5.2.tar.gz", hash = "sha256:8d399205578f1a9342816409cc1e46a93ebd5755e39ea2d85334bea911bf0e6e"},
+]
+
+[package.dependencies]
+tzdata = {version = "*", markers = "platform_system == \"Windows\""}
+
+[package.extras]
+devenv = ["check-manifest", "pytest (>=4.3)", "pytest-cov", "pytest-mock (>=3.3)", "zest.releaser"]
+
[[package]]
name = "urllib3"
version = "2.2.1"
@@ -2538,4 +2690,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-content-hash = "feb357b7966cdc46d391a7cc680b816b047614277c9d37b4e30287504dc51b5b"
+content-hash = "dabc8f6edfca97b7983905914200696ae83fe48a52c4b7094423643bf49c0d2d"
From 731b540a84e728ccf4e2419126fbbc1b00fe1517 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:22:28 +0100
Subject: [PATCH 27/69] Update misp_to_yeti.py
---
core/common/misp_to_yeti.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 3f3ce4379..115bd9dc5 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -59,10 +59,10 @@ def attr_misp_to_yeti(
return obs_yeti
def add_context_by_misp(
- self, attribute_misp: dict, event: dict, obs_yeti: observable.Observable
+ self, attribute_misp: dict, obs_yeti: observable.Observable
):
context = {}
- context["Org"] = event["Org"]["name"]
+ context["Org"] = self.misp_event["Org"]["name"]
if attribute_misp.get("comment"):
context["comment"] = attribute_misp.get("comment")
@@ -73,7 +73,7 @@ def add_obs(self, invest: entity.Investigation, obs_misp: dict):
obs_yeti = self.attr_misp_to_yeti(invest, attr)
if obs_yeti:
- self.add_context_by_misp(attr, obs_misp, obs_yeti)
+ self.add_context_by_misp(attr, obs_yeti)
yield obs_yeti
else:
print(f"Attribute {attr} not imported")
@@ -103,7 +103,7 @@ def misp_to_yeti(self):
for attribute_misp in self.misp_event["Attribute"]:
obs_yeti = self.attr_misp_to_yeti(invest, attribute_misp)
if obs_yeti:
- self.add_context_by_misp(attribute_misp, self.misp_event, obs_yeti)
+ self.add_context_by_misp(attribute_misp, obs_yeti)
else:
print(f"Attribute {attribute_misp} not imported")
invest.save()
From 7ba8343d3d5d0c88c0d5c36cc3a7205f6467433b Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:43:33 +0100
Subject: [PATCH 28/69] add test
---
tests/apiv2/import_data.py | 15 +-
tests/misp_test_data/misp_event_objects.json | 189 +++++++++++++++++++
2 files changed, 201 insertions(+), 3 deletions(-)
create mode 100644 tests/misp_test_data/misp_event_objects.json
diff --git a/tests/apiv2/import_data.py b/tests/apiv2/import_data.py
index 2fa47f691..1bac8417f 100644
--- a/tests/apiv2/import_data.py
+++ b/tests/apiv2/import_data.py
@@ -26,14 +26,23 @@ def setUpClass(cls) -> None:
).json()
client.headers = {"Authorization": "Bearer " + token_data["access_token"]}
- cls.path_json = "tests/misp_test_data/misp_event.json"
+ cls.misp_json_files = ["tests/misp_test_data/misp_event.json", "tests/misp_test_data/misp_event_objects.json"]
def test_import_misp(self):
logging.info("Test import misp")
- with open(self.path_json, "rb") as fichier:
- files = {"misp_file_json": (self.path_json, fichier)}
+ test_file_json= self.misp_json_files[0]
+ with open(test_file_json, "rb") as fichier:
+ files = {"misp_file_json": (self.misp_json_files[0], fichier)}
r = client.post("/api/v2/import_data/import_misp_json", files=files)
self.assertEqual(r.status_code, 200)
+ def test_misp_object(self):
+ logging.info("Test misp object")
+ test_file_json = self.misp_json_files[1]
+ with open(test_file_json, "rb") as fichier:
+ files = {"misp_file_json": (test_file_json, fichier)}
+ r = client.post("/api/v2/import_data/import_misp_json", files=files)
+ self.assertEqual(r.status_code, 200)
+
if __name__ == "__main__":
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
new file mode 100644
index 000000000..1fdbdb05a
--- /dev/null
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -0,0 +1,189 @@
+{
+ "Event": {
+ "id": "114",
+ "orgc_id": "1",
+ "org_id": "1",
+ "date": "2024-03-01",
+ "threat_level_id": "1",
+ "info": "test for yeti",
+ "published": false,
+ "uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
+ "attribute_count": "5",
+ "analysis": "0",
+ "timestamp": "1709656629",
+ "distribution": "1",
+ "proposal_email_lock": false,
+ "locked": false,
+ "publish_timestamp": "0",
+ "sharing_group_id": "0",
+ "disable_correlation": false,
+ "extends_uuid": "",
+ "protected": null,
+ "event_creator_email": "sebdraven@protonmail.com",
+ "Org": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d",
+ "local": true
+ },
+ "Orgc": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d",
+ "local": true
+ },
+ "Attribute": [],
+ "ShadowAttribute": [],
+ "RelatedEvent": [],
+ "Galaxy": [],
+ "Object": [
+ {
+ "id": "1035",
+ "name": "c2-list",
+ "meta-category": "network",
+ "description": "List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis",
+ "template_uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785",
+ "template_version": "20230919",
+ "event_id": "114",
+ "uuid": "4017d4cc-284e-480e-9dc8-921dfc25f457",
+ "timestamp": "1709310117",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10620",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "7f017b41-13ba-4240-a449-3e6840739c26",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709308752",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "c2-ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10621",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "685a7a39-422c-4b70-a979-251c341d39e4",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709308752",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "c2-ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2.2.2.2",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10622",
+ "type": "text",
+ "category": "Attribution",
+ "to_ids": false,
+ "uuid": "b565cdc8-2bbc-4299-9f48-246aebf9172a",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709308752",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "threat",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "malware mechant",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10623",
+ "type": "ip-src|port",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "26a7ae6b-1a22-4331-8640-cbc90e5787d3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709310117",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "c2-ipport",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1|8888",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1036",
+ "name": "btc-wallet",
+ "meta-category": "financial",
+ "description": "An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.",
+ "template_uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4",
+ "template_version": "3",
+ "event_id": "114",
+ "uuid": "bd116941-502f-45b3-ac21-2d70d0c9a907",
+ "timestamp": "1709656629",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10624",
+ "type": "btc",
+ "category": "Financial fraud",
+ "to_ids": true,
+ "uuid": "49e5c32d-901c-404e-b80f-7a240be96ade",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709656629",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "wallet-address",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ }
+ ],
+ "EventReport": [],
+ "CryptographicKey": []
+ }
+}
From cc1d285cd0b622c2292c9c20423cacbc56808978 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:48:11 +0100
Subject: [PATCH 29/69] fixe tags
---
core/common/misp_to_yeti.py | 12 ++++++------
tests/apiv2/import_data.py | 9 ++++++---
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 115bd9dc5..f3517f5da 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -51,9 +51,9 @@ def attr_misp_to_yeti(
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
-
- if attribute["Tag"]:
- obs_yeti.tag([t["name"] for t in attribute["Tag"]])
+ tags = attribute.get("Tag")
+ if tags:
+ obs_yeti.tag([t["name"] for t in tags])
invest.link_to(obs_yeti, "imported_by_misp", description)
print(f"Attribute {attribute.get('value')} imported")
return obs_yeti
@@ -91,9 +91,9 @@ def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: dict):
def misp_to_yeti(self):
invest = entity.Investigation(name=self.misp_event["info"]).save()
-
- if self.misp_event["Tag"]:
- invest.tag([t["name"] for t in self.misp_event["Tag"]])
+ tags = self.misp_event.get("Tag")
+ if tags:
+ invest.tag([t["name"] for t in tags])
invest.description = (
f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
)
diff --git a/tests/apiv2/import_data.py b/tests/apiv2/import_data.py
index 1bac8417f..e9d67e84f 100644
--- a/tests/apiv2/import_data.py
+++ b/tests/apiv2/import_data.py
@@ -26,15 +26,19 @@ def setUpClass(cls) -> None:
).json()
client.headers = {"Authorization": "Bearer " + token_data["access_token"]}
- cls.misp_json_files = ["tests/misp_test_data/misp_event.json", "tests/misp_test_data/misp_event_objects.json"]
+ cls.misp_json_files = [
+ "tests/misp_test_data/misp_event.json",
+ "tests/misp_test_data/misp_event_objects.json",
+ ]
def test_import_misp(self):
logging.info("Test import misp")
- test_file_json= self.misp_json_files[0]
+ test_file_json = self.misp_json_files[0]
with open(test_file_json, "rb") as fichier:
files = {"misp_file_json": (self.misp_json_files[0], fichier)}
r = client.post("/api/v2/import_data/import_misp_json", files=files)
self.assertEqual(r.status_code, 200)
+
def test_misp_object(self):
logging.info("Test misp object")
test_file_json = self.misp_json_files[1]
@@ -44,6 +48,5 @@ def test_misp_object(self):
self.assertEqual(r.status_code, 200)
-
if __name__ == "__main__":
unittest.main()
From 68f8c53cf38c088805e7a676067442dbcd548652 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:53:51 +0100
Subject: [PATCH 30/69] Update misp_to_yeti.py
---
core/common/misp_to_yeti.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index f3517f5da..d54041911 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -7,6 +7,7 @@
from core.schemas import entity, indicator, observable
MISP_Attribute_TO_IMPORT = {
+ "btc": observable.ObservableType.wallet,
"domain": observable.ObservableType.hostname,
"hostname": observable.ObservableType.hostname,
"ip-dst": observable.ObservableType.ipv4,
@@ -51,7 +52,7 @@ def attr_misp_to_yeti(
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
- tags = attribute.get("Tag")
+ tags = attribute.get("Tag")
if tags:
obs_yeti.tag([t["name"] for t in tags])
invest.link_to(obs_yeti, "imported_by_misp", description)
@@ -155,7 +156,7 @@ def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
)
def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
- btc = observable.wallet.Wallet(value=object_btc["wallet-address"])
+ btc = self.attr_misp_to_yeti(invest, object_btc["wallet-address"])
context = {}
if object_btc["BTC_received"]:
context["BTC_received"] = object_btc["BTC_received"]
From 013ae02a74a01fe8b753d0cfe0b2a57389166c58 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 17:58:53 +0100
Subject: [PATCH 31/69] Update misp_to_yeti.py
---
core/common/misp_to_yeti.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index d54041911..4155c8abb 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -22,7 +22,6 @@
"ssdeep": observable.ObservableType.ssdeep,
"mutex": observable.ObservableType.mutex,
"named pipe": observable.ObservableType.named_pipe,
- "btc": observable.ObservableType.wallet,
"email": observable.ObservableType.email,
"filename": observable.ObservableType.file,
"regkey": observable.ObservableType.registry_key,
@@ -156,7 +155,12 @@ def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
)
def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
- btc = self.attr_misp_to_yeti(invest, object_btc["wallet-address"])
+ btc_address = list(
+ filter(lambda x: x["type"] == "wallet-address", object_btc["Attribute"])
+ )[0]
+ btc = self.attr_misp_to_yeti(
+ invest, btc_address, description=f"misp {self.misp_event['Orgc']['name']}"
+ )
context = {}
if object_btc["BTC_received"]:
context["BTC_received"] = object_btc["BTC_received"]
From ce59669a809412f0f7f1c5e0312be1e470c2b4ee Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 19:02:02 +0100
Subject: [PATCH 32/69] add pymisp
---
core/common/misp_to_yeti.py | 91 +++++++++++---------
tests/misp_test_data/misp_event_objects.json | 69 ++++++++++++++-
2 files changed, 116 insertions(+), 44 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 4155c8abb..e7427185b 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -3,8 +3,9 @@
import dateparser
import pycountry
-
+from pymisp import MISPObject,MISPEvent,MISPAttribute
from core.schemas import entity, indicator, observable
+import json
MISP_Attribute_TO_IMPORT = {
"btc": observable.ObservableType.wallet,
@@ -33,7 +34,8 @@
class MispToYeti:
def __init__(self, misp_event):
- self.misp_event = misp_event
+ self.misp_event = MISPEvent()
+ self.misp_event.from_json(json.dumps(misp_event))
self.func_by_type = {
"asn": self.__import_asn_object,
"av-signature": self.__import_av_signature,
@@ -45,7 +47,7 @@ def __init__(self, misp_event):
}
def attr_misp_to_yeti(
- self, invest: entity.Investigation, attribute: dict, description: str = ""
+ self, invest: entity.Investigation, attribute: MISPAttribute, description: str = ""
) -> observable.Observable: # type: ignore
if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
@@ -59,16 +61,16 @@ def attr_misp_to_yeti(
return obs_yeti
def add_context_by_misp(
- self, attribute_misp: dict, obs_yeti: observable.Observable
+ self, attribute_misp: MISPAttribute, obs_yeti: observable.Observable
):
context = {}
- context["Org"] = self.misp_event["Org"]["name"]
+ context["Org"] = self.misp_event.org.name
if attribute_misp.get("comment"):
context["comment"] = attribute_misp.get("comment")
obs_yeti.add_context("misp", context)
- def add_obs(self, invest: entity.Investigation, obs_misp: dict):
+ def add_obs(self, invest: entity.Investigation, obs_misp: MISPObject):
for attr in obs_misp["Attribute"]:
obs_yeti = self.attr_misp_to_yeti(invest, attr)
@@ -78,7 +80,7 @@ def add_obs(self, invest: entity.Investigation, obs_misp: dict):
else:
print(f"Attribute {attr} not imported")
- def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: dict):
+ def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: MISPObject):
if object_misp["name"] in self.func_by_type:
self.func_by_type[object_misp["name"]](invest, object_misp)
else:
@@ -91,16 +93,16 @@ def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: dict):
def misp_to_yeti(self):
invest = entity.Investigation(name=self.misp_event["info"]).save()
- tags = self.misp_event.get("Tag")
+ tags = self.misp_event.tags
if tags:
invest.tag([t["name"] for t in tags])
invest.description = (
f"Org {self.misp_event['Orgc']['name']} Event id: {self.misp_event['id']}"
)
- for object_misp in self.misp_event["Object"]:
+ for object_misp in self.misp_event.objects:
self.obs_misp_to_yeti(invest, object_misp)
- for attribute_misp in self.misp_event["Attribute"]:
+ for attribute_misp in self.misp_event.attributes:
obs_yeti = self.attr_misp_to_yeti(invest, attribute_misp)
if obs_yeti:
self.add_context_by_misp(attribute_misp, obs_yeti)
@@ -154,45 +156,52 @@ def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
asn, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
)
- def __import_btc_wallet(self, invest: entity.Investigation, object_btc: dict):
- btc_address = list(
- filter(lambda x: x["type"] == "wallet-address", object_btc["Attribute"])
- )[0]
- btc = self.attr_misp_to_yeti(
- invest, btc_address, description=f"misp {self.misp_event['Orgc']['name']}"
- )
+ def __import_btc_wallet(self, invest: entity.Investigation, object_btc: MISPObject):
+
+
+ address = object_btc.get_attributes_by_relation('wallet-address')[0]
+
+ btc = observable.wallet.Wallet(value=address['value'],coin='btc',address=address["value"]).save()
+
+ btc_received = object_btc.get_attributes_by_relation('BTC_received')
+ btc_sent = object_btc.get_attributes_by_relation('BTC_sent')
+ btc_balance = object_btc.get_attributes_by_relation('balence_btc')
+
context = {}
- if object_btc["BTC_received"]:
- context["BTC_received"] = object_btc["BTC_received"]
- if object_btc["BTC_sent"]:
- context["BTC_sent"] = object_btc["BTC_sent"]
- if object_btc["BTC_balance"]:
- context["BTC_balance"] = object_btc["BTC_balance"]
- if object_btc["time"]:
- context["time"] = object_btc["time"]
- if context:
- btc.add_context(f"misp {self.misp_event['Orgc']['name']} ", context)
- invest.link_to(
- btc, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
- )
- btc.save()
- def __import_c2_list(self, invest: entity.Investigation, object_c2_list: dict):
- list_c2_ip = filter(lambda x: x["type"] == "c2-ip", object_c2_list["Attribute"])
- list_c2_domain = filter(
- lambda x: x["type"] == "c2-ipport", object_c2_list["Attribute"]
- )
- for c2 in list_c2_ip:
+ if btc_received:
+ context["BTC_received"] = btc_received[0]['value']
+ if btc_sent:
+ context["BTC_sent"] = btc_sent[0]['value']
+ if btc_balance:
+ context["balence_btc"] = btc_balance[0]['value']
+
+ btc.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+
+
+
+
+
+ def __import_c2_list(self, invest: entity.Investigation, object_c2:MISPObject):
+ threat_actor = object_c2.get_attributes_by_relation('threat')
+ tags =[ t['value'] for t in threat_actor]
+
+
+
+ for c2 in object_c2.get_attributes_by_relation('c2-ip'):
obs_yeti = self.attr_misp_to_yeti(
invest, c2, description=f"misp {self.misp_event['Orgc']['name']}"
)
- obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
- for c2 in list_c2_domain:
+ if tags:
+ obs_yeti.tag(tags)
+
+ for c2 in object_c2.get_attributes_by_relation('c2-ipport'):
ip, port = c2["value"].split("|")
obs_yeti = observable.TYPE_MAPPING[MISP_Attribute_TO_IMPORT["ip-src"]](
value=ip
- )
- obs_yeti.link_to_tag(object_c2_list["threat"], timedelta(days=30))
+ ).save()
+ if tags:
+ obs_yeti.tag(tags)
obs_yeti.add_context("misp", {"port": port})
def __import_crowdsec_ip_context(
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index 1fdbdb05a..c8d26aa3a 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "5",
+ "attribute_count": "8",
"analysis": "0",
- "timestamp": "1709656629",
+ "timestamp": "1709661209",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -150,7 +150,7 @@
"template_version": "3",
"event_id": "114",
"uuid": "bd116941-502f-45b3-ac21-2d70d0c9a907",
- "timestamp": "1709656629",
+ "timestamp": "1709661209",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
@@ -179,6 +179,69 @@
"value": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa",
"Galaxy": [],
"ShadowAttribute": []
+ },
+ {
+ "id": "10625",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "fe6eac0d-2f7d-4642-bb71-7520e992b5ea",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709661209",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "BTC_received",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "0.5",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10626",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "33c7998b-16f5-41c1-ace4-b5ae8b1b618c",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709661209",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "BTC_sent",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "0.8",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10627",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "9232f198-c0fd-48f5-9391-4d26a18bff2f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709661209",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "balance_BTC",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "1",
+ "Galaxy": [],
+ "ShadowAttribute": []
}
]
}
From deb028badc623a5cda76ae6cdde9ac9a175d5731 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 19:02:45 +0100
Subject: [PATCH 33/69] Update misp_to_yeti.py
---
core/common/misp_to_yeti.py | 47 +++++++++++++++++--------------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index e7427185b..0118c07ba 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -3,7 +3,7 @@
import dateparser
import pycountry
-from pymisp import MISPObject,MISPEvent,MISPAttribute
+from pymisp import MISPObject, MISPEvent, MISPAttribute
from core.schemas import entity, indicator, observable
import json
@@ -47,7 +47,10 @@ def __init__(self, misp_event):
}
def attr_misp_to_yeti(
- self, invest: entity.Investigation, attribute: MISPAttribute, description: str = ""
+ self,
+ invest: entity.Investigation,
+ attribute: MISPAttribute,
+ description: str = "",
) -> observable.Observable: # type: ignore
if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
@@ -157,45 +160,39 @@ def __import_asn_object(self, invest: entity.Investigation, object_asn: dict):
)
def __import_btc_wallet(self, invest: entity.Investigation, object_btc: MISPObject):
-
-
- address = object_btc.get_attributes_by_relation('wallet-address')[0]
+ address = object_btc.get_attributes_by_relation("wallet-address")[0]
- btc = observable.wallet.Wallet(value=address['value'],coin='btc',address=address["value"]).save()
-
- btc_received = object_btc.get_attributes_by_relation('BTC_received')
- btc_sent = object_btc.get_attributes_by_relation('BTC_sent')
- btc_balance = object_btc.get_attributes_by_relation('balence_btc')
+ btc = observable.wallet.Wallet(
+ value=address["value"], coin="btc", address=address["value"]
+ ).save()
+
+ btc_received = object_btc.get_attributes_by_relation("BTC_received")
+ btc_sent = object_btc.get_attributes_by_relation("BTC_sent")
+ btc_balance = object_btc.get_attributes_by_relation("balence_btc")
context = {}
if btc_received:
- context["BTC_received"] = btc_received[0]['value']
+ context["BTC_received"] = btc_received[0]["value"]
if btc_sent:
- context["BTC_sent"] = btc_sent[0]['value']
+ context["BTC_sent"] = btc_sent[0]["value"]
if btc_balance:
- context["balence_btc"] = btc_balance[0]['value']
-
- btc.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
-
-
-
+ context["balence_btc"] = btc_balance[0]["value"]
+ btc.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
- def __import_c2_list(self, invest: entity.Investigation, object_c2:MISPObject):
- threat_actor = object_c2.get_attributes_by_relation('threat')
- tags =[ t['value'] for t in threat_actor]
-
+ def __import_c2_list(self, invest: entity.Investigation, object_c2: MISPObject):
+ threat_actor = object_c2.get_attributes_by_relation("threat")
+ tags = [t["value"] for t in threat_actor]
-
- for c2 in object_c2.get_attributes_by_relation('c2-ip'):
+ for c2 in object_c2.get_attributes_by_relation("c2-ip"):
obs_yeti = self.attr_misp_to_yeti(
invest, c2, description=f"misp {self.misp_event['Orgc']['name']}"
)
if tags:
obs_yeti.tag(tags)
- for c2 in object_c2.get_attributes_by_relation('c2-ipport'):
+ for c2 in object_c2.get_attributes_by_relation("c2-ipport"):
ip, port = c2["value"].split("|")
obs_yeti = observable.TYPE_MAPPING[MISP_Attribute_TO_IMPORT["ip-src"]](
value=ip
From 3ad50ed9afa90b780749aea5a7bafa99dbe143ed Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 19:07:17 +0100
Subject: [PATCH 34/69] Update misp_to_yeti.py
---
core/common/misp_to_yeti.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 0118c07ba..2bf921929 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -1,11 +1,11 @@
+import json
import logging
-from datetime import timedelta
import dateparser
import pycountry
-from pymisp import MISPObject, MISPEvent, MISPAttribute
+from pymisp import MISPAttribute, MISPEvent, MISPObject
+
from core.schemas import entity, indicator, observable
-import json
MISP_Attribute_TO_IMPORT = {
"btc": observable.ObservableType.wallet,
From 22d6e6d004c0bab59778a86b666d50cf780cfd3d Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Tue, 5 Mar 2024 19:36:07 +0100
Subject: [PATCH 35/69] signature av-test
---
core/common/misp_to_yeti.py | 19 +++--
core/schemas/indicator.py | 2 +-
tests/misp_test_data/misp_event_objects.json | 87 +++++++++++++++++++-
3 files changed, 99 insertions(+), 9 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 2bf921929..f1ca8120e 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -114,16 +114,23 @@ def misp_to_yeti(self):
invest.save()
def __import_av_signature(
- self, invest: entity.Investigation, object_av_signature: dict
+ self, invest: entity.Investigation, object_av_signature: MISPObject
):
+ signature = object_av_signature.get_attributes_by_relation("signature")[0]
+ description = object_av_signature.get_attributes_by_relation("Text")
+ software = object_av_signature.get_attributes_by_relation("software")
+
av_sig = indicator.av_signature(
- name=object_av_signature["signature"],
- software=object_av_signature["software"],
+ name=signature["value"],
+ pattern=signature["value"],
diamond=indicator.DiamondModel.capability,
- pattern=object_av_signature["signature"],
location="misp",
- )
- av_sig.description = object_av_signature["description"]
+ ).save()
+
+ if description:
+ av_sig.description = description[0]["value"]
+ if software:
+ av_sig.software = software[0]["value"]
av_sig.save()
invest.link_to(
av_sig, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
diff --git a/core/schemas/indicator.py b/core/schemas/indicator.py
index a9b50a082..ea8d322a7 100644
--- a/core/schemas/indicator.py
+++ b/core/schemas/indicator.py
@@ -316,7 +316,7 @@ def save_indicators(self, create_links: bool = False):
class av_signature(Indicator):
_type_filter: ClassVar[str] = IndicatorType.av_signature
type: Literal[IndicatorType.av_signature] = IndicatorType.av_signature
- software: str
+ software: str = ""
def match(self, value: str) -> IndicatorMatch | None:
raise NotImplementedError
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index c8d26aa3a..2cb6d7689 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "8",
+ "attribute_count": "11",
"analysis": "0",
- "timestamp": "1709661209",
+ "timestamp": "1709663597",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -244,6 +244,89 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1037",
+ "name": "av-signature",
+ "meta-category": "misc",
+ "description": "Antivirus detection signature",
+ "template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
+ "template_version": "1",
+ "event_id": "114",
+ "uuid": "2f2e5dea-0c4b-4e41-a15b-d428e3d841a3",
+ "timestamp": "1709663597",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10628",
+ "type": "text",
+ "category": "Antivirus detection",
+ "to_ids": false,
+ "uuid": "98143267-5fe9-48c2-8519-584a4c659034",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709663597",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1037",
+ "object_relation": "signature",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "malware_1872727",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10629",
+ "type": "text",
+ "category": "Antivirus detection",
+ "to_ids": false,
+ "uuid": "6bc5cba5-4484-499a-9e05-8f37fa671bde",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709663597",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1037",
+ "object_relation": "software",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Windows",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10630",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "a9c73a38-0f92-40ad-81fc-3f26bd4055b3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709663597",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1037",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Vilain malware",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From 10edcb93d2e55b427dda9e8980704511d194112e Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 6 Mar 2024 11:20:25 +0100
Subject: [PATCH 36/69] add command line test
---
core/common/misp_to_yeti.py | 22 ++++---
tests/misp_test_data/misp_event_objects.json | 66 +++++++++++++++++++-
2 files changed, 79 insertions(+), 9 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index f1ca8120e..72e9a068f 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -241,6 +241,7 @@ def __import_crowdsec_ip_context(
country_code = object_crowdsec_ip.get("country_code")
if city or country or country_code:
+ location = None
if city:
location = entity.Location(name=city, city=city).save()
@@ -293,19 +294,26 @@ def __import_crowdsec_ip_context(
ip.link_to(hostname, "resolved_to", "hostname")
def __import_commande_line(
- self, invest: entity.Investigation, object_command_line: dict
+ self, invest: entity.Investigation, object_command_line: MISPObject
):
- cmd_line = object_command_line["value"]
- cmd_line = observable.command_line.CommandLine(value=cmd_line).save()
-
- description = object_command_line.get("description")
+ cmd_line = object_command_line.get_attributes_by_relation("value")[0]
+ description_misp = object_command_line.get_attributes_by_relation(
+ "description"
+ )[0]
+ description = description_misp["value"] if description_misp else ""
+ cmd_line_obs = observable.command_line.CommandLine(
+ value=cmd_line["value"]
+ ).save()
context = {}
+
if description:
context["description"] = description
+
if context:
- cmd_line.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+ cmd_line_obs.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+
invest.link_to(
- cmd_line, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ cmd_line_obs, "imported by misp", f"misp {self.misp_event['Orgc']['name']}"
)
def __import_cookie(self, invest: entity.Investigation, object_cookie: dict):
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index 2cb6d7689..7e42c024d 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "11",
+ "attribute_count": "13",
"analysis": "0",
- "timestamp": "1709663597",
+ "timestamp": "1709718740",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -327,6 +327,68 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1038",
+ "name": "command-line",
+ "meta-category": "misc",
+ "description": "Command line and options related to a specific command executed by a program, whether it is malicious or not.",
+ "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
+ "template_version": "1",
+ "event_id": "114",
+ "uuid": "06486300-27ed-47d6-94fd-b26261e68e6a",
+ "timestamp": "1709718740",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10631",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "e5603d5f-c32f-4609-99af-6863868c47ab",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709718740",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1038",
+ "object_relation": "description",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "mechant malware",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10632",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "7a9ac133-1592-4b50-bc52-d99d74184081",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709718740",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1038",
+ "object_relation": "value",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cmd.exe --mechant malware",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From e4f2be42a400d960fcfc5192c85c82307b67b76a Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Thu, 7 Mar 2024 10:18:49 +0100
Subject: [PATCH 37/69] add cookie object
---
core/common/misp_to_yeti.py | 6 +-
tests/misp_test_data/misp_event_objects.json | 194 ++++++++++++++++++-
2 files changed, 194 insertions(+), 6 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 72e9a068f..5642d73cc 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -316,10 +316,10 @@ def __import_commande_line(
cmd_line_obs, "imported by misp", f"misp {self.misp_event['Orgc']['name']}"
)
- def __import_cookie(self, invest: entity.Investigation, object_cookie: dict):
- name = object_cookie["name"]
+ def __import_cookie(self, invest: entity.Investigation, object_cookie: MISPObject):
+ name = object_cookie.get_attributes_by_relation("cookie-name")[0]["value"]
- cookie_attr = object_cookie["cookie"]
+ cookie_attr = object_cookie.get_attributes_by_relation("cookie")[0]
cookie = self.attr_misp_to_yeti(
invest, cookie_attr, description=f"misp {self.misp_event['Orgc']['name']}"
)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index 7e42c024d..aa10e1f04 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "13",
+ "attribute_count": "21",
"analysis": "0",
- "timestamp": "1709718740",
+ "timestamp": "1709720828",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -389,9 +389,197 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1039",
+ "name": "cookie",
+ "meta-category": "network",
+ "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser \u2014 keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.",
+ "template_uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",
+ "template_version": "6",
+ "event_id": "114",
+ "uuid": "449d6cd4-39cb-4cd5-96e2-655963900f87",
+ "timestamp": "1709720828",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10633",
+ "type": "cookie",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "3f74b060-02a8-49b3-b0bc-61596f787aca",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "cookie",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "MTA3NTg1NTM5Mg==",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10634",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "a865fa81-627e-4cea-a3f2-72fc2a51b266",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "cookie-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "MTA3NTg1NTM5Mg==",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10635",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "35f5eeb1-e7dd-420f-acaf-f9620d5ae29e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "cookie-value",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "MTA3NTg1NTM5Mg==",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10636",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "b29d314d-81ba-4123-8887-c5fa3497c65b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1039",
+ "object_relation": "expires",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-06-03T00:00:00.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10637",
+ "type": "boolean",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "e38c81cd-2333-4203-ba20-e00ac387992f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "http-only",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10638",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "0e2153cb-5374-4e6b-9aa1-511f1778f947",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1039",
+ "object_relation": "path",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "/test/path",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10639",
+ "type": "boolean",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "1a7394be-e699-4bd4-9f60-2e1fb1e8841b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "secure",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10640",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "55740096-fa6e-4221-a3ef-ca4fad63e378",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1039",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Chinoxy Cookie",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
"CryptographicKey": []
}
-}
+}
\ No newline at end of file
From d90b02a26079809e9fc091e52913748235b7d1d8 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Thu, 7 Mar 2024 13:18:22 +0100
Subject: [PATCH 38/69] add crowdsec-ip object
---
core/common/misp_to_yeti.py | 71 ++--
core/schemas/observables/asn.py | 1 +
tests/misp_test_data/misp_event_objects.json | 402 ++++++++++++++++++-
3 files changed, 441 insertions(+), 33 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 5642d73cc..e860b3874 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -26,7 +26,7 @@
"email": observable.ObservableType.email,
"filename": observable.ObservableType.file,
"regkey": observable.ObservableType.registry_key,
- "asn": observable.ObservableType.asn,
+ "AS": observable.ObservableType.asn,
"cookie": observable.ObservableType.cookie,
"other": observable.ObservableType.generic,
}
@@ -209,47 +209,56 @@ def __import_c2_list(self, invest: entity.Investigation, object_c2: MISPObject):
obs_yeti.add_context("misp", {"port": port})
def __import_crowdsec_ip_context(
- self, invest: entity.Investigation, object_crowdsec_ip: dict
+ self, invest: entity.Investigation, object_crowdsec_ip: MISPObject
):
+ ip_attr = object_crowdsec_ip.get_attributes_by_relation("ip")[0]
ip = self.attr_misp_to_yeti(
- invest,
- object_crowdsec_ip["ip"],
- description=f"misp {self.misp_event['Orgc']['name']} CrowdSec",
+ invest, ip_attr, description=f"misp {self.misp_event['Orgc']['name']}"
)
- as_num = object_crowdsec_ip.get("as_num")
+ as_num = object_crowdsec_ip.get_attributes_by_relation("as-num")
+ as_name = object_crowdsec_ip.get_attributes_by_relation("as-name")
+ as_obj = None
if as_num:
- asn = self.attr_misp_to_yeti(invest, as_num)
- ip.link_to(asn, "part_of", "asn")
+ as_obj = observable.asn.ASN(value=as_num[0].value).save()
+ ip.link_to(as_obj, "part_of", "asn")
+ if as_obj and as_name:
+ as_obj.name = as_name[0].value
context = {}
- attack_details = object_crowdsec_ip.get("attack-details")
+ attack_details = object_crowdsec_ip.get_attributes_by_relation("attack-details")
if attack_details:
- context["attack-details"] = attack_details
+ context["attack-details"] = attack_details[0].value
background_noise = object_crowdsec_ip.get("background-noise")
if background_noise:
- context["background-noise"] = background_noise
+ context["background-noise"] = background_noise[0].value
behaviors = object_crowdsec_ip.get("behaviors")
if behaviors:
- context["behaviors"] = behaviors
+ context["behaviors"] = behaviors[0].value
- city = object_crowdsec_ip.get("city")
- country = object_crowdsec_ip.get("country")
- country_code = object_crowdsec_ip.get("country_code")
+ city = object_crowdsec_ip.get_attributes_by_relation("city")
+ country = object_crowdsec_ip.get_attributes_by_relation("country")
+ country_code = object_crowdsec_ip.get_attributes_by_relation("country_code")
if city or country or country_code:
location = None
if city:
- location = entity.Location(name=city, city=city).save()
+ location = entity.Location(
+ name=city[0].value, city=city[0].value
+ ).save()
if country:
- location = entity.Location(name=country, country=country).save()
- location.set_country_code_by_name(country)
+ location = entity.Location(
+ name=country[0].value, country=country[0].value
+ ).save()
+ location.set_country_code_by_name(country[0].value)
if country_code:
- country_name = pycountry.countries.get(alpha_2=country_code).name
+ country_name = pycountry.countries.get(
+ alpha_2=country_code[0].value
+ ).name
location = entity.Location(
name=country_name, country=country_name
).save()
@@ -260,35 +269,35 @@ def __import_crowdsec_ip_context(
"imported_by_misp",
f"misp {self.misp_event['Orgc']['name']} CrowdSec",
)
- dst_port = object_crowdsec_ip.get("dst-port")
+ dst_port = object_crowdsec_ip.get_attributes_by_relation("dst-port")
if dst_port:
- context["dst_port"] = dst_port
+ context["dst_port"] = dst_port[0].value
- ip_range_scope = object_crowdsec_ip.get("ip-range-scope")
+ ip_range_scope = object_crowdsec_ip.get_attributes_by_relation("ip-range-scope")
if ip_range_scope:
- context["ip-range-scope"] = ip_range_scope
+ context["ip-range-scope"] = ip_range_scope[0].value
- trust = object_crowdsec_ip.get("trust")
+ trust = object_crowdsec_ip.get_attributes_by_relation("trust")
if trust:
- context["trust"] = trust
+ context["trust"] = trust[0].value
- ip_range = object_crowdsec_ip.get("ip-range")
+ ip_range = object_crowdsec_ip.get_attributes_by_relation("ip-range")
if ip_range:
- cidr_obs = observable.cidr.CIDR(value=ip_range).save() # type: ignore
+ cidr_obs = observable.cidr.CIDR(value=ip_range[0].value).save() # type: ignore
ip.link_to(cidr_obs, "part_of", "subnet")
invest.link_to(
cidr_obs,
"imported_by_misp",
f"misp {self.misp_event['Orgc']['name']} CrowdSec",
)
+ if context:
+ ip.add_context(f"misp {self.misp_event['Orgc']['name']} CrowdSec", context)
- ip.add_context(f"misp {self.misp_event['Orgc']['name']} CrowdSec", context)
-
- reverse_dns = object_crowdsec_ip.get("reverse_dns")
+ reverse_dns = object_crowdsec_ip.get_attributes_by_relation("reverse_dns")
if reverse_dns:
hostname = self.attr_misp_to_yeti(
invest,
- reverse_dns,
+ reverse_dns[0],
description=f"misp {self.misp_event['Orgc']['name']} CrowdSec",
)
ip.link_to(hostname, "resolved_to", "hostname")
diff --git a/core/schemas/observables/asn.py b/core/schemas/observables/asn.py
index 1aeba6027..7e8f7535a 100644
--- a/core/schemas/observables/asn.py
+++ b/core/schemas/observables/asn.py
@@ -7,6 +7,7 @@ class ASN(observable.Observable):
type: Literal[observable.ObservableType.asn] = observable.ObservableType.asn
country: str | None = None
description: str | None = None
+ name: str | None = None
observable.TYPE_MAPPING[observable.ObservableType.asn] = ASN
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index aa10e1f04..93b2d7b03 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "21",
+ "attribute_count": "39",
"analysis": "0",
- "timestamp": "1709720828",
+ "timestamp": "1709808045",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -577,6 +577,404 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1040",
+ "name": "crowdsec-ip-context",
+ "meta-category": "network",
+ "description": "CrowdSec Threat Intelligence - IP CTI search",
+ "template_uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f",
+ "template_version": "3",
+ "event_id": "114",
+ "uuid": "8d7293ee-6840-4bb4-ad28-b9ac8280d4e8",
+ "timestamp": "1709808045",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10641",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "d37e69f4-c220-4720-9e80-4c24299ff818",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "trust",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10642",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "8b13f982-eaf4-4cf7-8e8b-207e89453ecb",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10643",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "40a0d8b2-c1c2-452d-b9df-c026006d7cda",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "scores",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "10",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10644",
+ "type": "hostname",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "9f60442b-8584-453f-b008-53c4e806db89",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "reverse-dns",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "toto.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10645",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "5c8fce70-084b-492f-bd94-988472deba62",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "longitude",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10646",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "d489b90e-5263-41c0-baaa-4ed4e62ec55d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "latitude",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10647",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "36f12ed5-0a3e-4599-bdbb-276d49a77924",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "ip-range",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.0/24",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10648",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "942491a7-5f67-41e6-831b-bd1c5f69172d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "false-positives",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "NO",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10649",
+ "type": "port",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "a857a881-0538-4672-9fab-11257f93e034",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "dst-port",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "80",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10650",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "5a9ce51c-ab14-4fa3-8675-fe7050a6f858",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "country",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "France",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10651",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "1ee369e6-aa0d-45fc-a371-8d65f5bc0c02",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "classifications",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Malicious",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10652",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "ab28a6ee-8a07-419e-9c35-2fe0d6949e6c",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "city",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Paris",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10653",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "27312d85-8a27-458b-be82-36458f71b63a",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "behaviors",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Scan",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10654",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "f5817800-c09c-44e6-ba29-766d6f373369",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "background-noise",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10655",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "2783d137-941d-4cc1-a704-fc3b18699814",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "attack-details",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Scan",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10656",
+ "type": "AS",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "fa2f5ede-b5f0-4865-a0e0-fa96ee150c99",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "as-num",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1234",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10657",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "55dd1fa8-5a4d-4bc5-a500-22309718d9be",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "country-code",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "FR",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10658",
+ "type": "AS",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "b98acf92-8236-4e0e-b0f3-563be4708786",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709808045",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "as-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1234",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From 35d4fddca5ce27ff130f9e0dd89bfb00af466bb1 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Thu, 7 Mar 2024 17:15:57 +0100
Subject: [PATCH 39/69] add cs-beaconing-confi file object
---
core/common/misp_to_yeti.py | 116 +++++---
tests/misp_test_data/misp_event_objects.json | 276 ++++++++++++++++++-
2 files changed, 350 insertions(+), 42 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index e860b3874..d3ed2d703 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -44,6 +44,7 @@ def __init__(self, misp_event):
"crowdsec-ip-context": self.__import_crowdsec_ip_context,
"command-line": self.__import_commande_line,
"cookie": self.__import_cookie,
+ "cs-beacon-config": self.__import_cs_beaconing,
}
def attr_misp_to_yeti(
@@ -61,7 +62,12 @@ def attr_misp_to_yeti(
obs_yeti.tag([t["name"] for t in tags])
invest.link_to(obs_yeti, "imported_by_misp", description)
print(f"Attribute {attribute.get('value')} imported")
- return obs_yeti
+
+ else:
+ obs_yeti = observable.generic_observable.GenericObservable(
+ value=attribute.get("value")
+ ).save() # type: ignore
+ return obs_yeti
def add_context_by_misp(
self, attribute_misp: MISPAttribute, obs_yeti: observable.Observable
@@ -348,40 +354,69 @@ def __import_cookie(self, invest: entity.Investigation, object_cookie: MISPObjec
cookie.save()
def __import_cs_beaconing(
- self, invest: entity.Investigation, object_cs_beaconing: dict
+ self, invest: entity.Investigation, object_cs_beaconing: MISPObject
):
cs_malware = entity.Malware(name="Cobalt Strike").save()
- sha256_obs = self.attr_misp_to_yeti(
- invest,
- object_cs_beaconing["sha256"],
- description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
- )
- sha1_obs = self.attr_misp_to_yeti(
- invest,
- object_cs_beaconing["sha1"],
- description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
- )
- md5_obs = self.attr_misp_to_yeti(
- invest,
- object_cs_beaconing["md5"],
- description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
- )
- file_cs = observable.file.File(value=f"FILE:{sha256_obs}").save()
- file_cs.md5 = md5_obs.value
- file_cs.sha1 = sha1_obs.value
- cs_malware.link_to(sha256_obs, "file", "sha256")
- cs_malware.link_to(sha1_obs, "file", "sha1")
- cs_malware.link_to(md5_obs, "file", "md5")
- cs_malware.link_to(file_cs, "file", "file")
- file_cs.link_to(sha256_obs, "file", "sha256")
- file_cs.link_to(sha1_obs, "file", "sha1")
- file_cs.link_to(md5_obs, "file", "md5")
- invest.link_to(
- cs_malware, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
- )
- asn = self.attr_misp_to_yeti(invest, object_cs_beaconing["asn"])
- cs_malware.link_to(asn, "part_of", "asn")
+ sha256_attr = object_cs_beaconing.get_attributes_by_relation("sh256")
+ sha256_obs = None
+ if sha256_attr:
+ sha256_obs = self.attr_misp_to_yeti(
+ invest,
+ sha256_attr[0], # type: ignore
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ cs_malware.link_to(sha256_obs, "file", "sha256")
+
+ sha1_attr = object_cs_beaconing.get_attributes_by_relation("sha1")
+ sha1_obs = None
+ if sha1_obs:
+ sha1_obs = self.attr_misp_to_yeti(
+ invest,
+ sha1_attr[0], # type: ignore
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ cs_malware.link_to(sha1_obs, "file", "sha1")
+
+ md5_attr = object_cs_beaconing.get_attributes_by_relation("md5")
+ md5_obs = None
+ if md5_attr:
+ md5_obs = self.attr_misp_to_yeti(
+ invest,
+ md5_attr[0], # type: ignore
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ cs_malware.link_to(md5_obs, "file", "md5")
+
+ config_cs = None
+ if sha256_obs:
+ config_cs = observable.file.File(value=f"FILE:{sha256_obs.value}").save()
+ elif sha1_obs and not config_cs:
+ config_cs = observable.file.File(value=f"FILE:{sha1_obs.value}").save()
+ elif md5_obs and not config_cs:
+ config_cs = observable.file.File(value=f"FILE:{md5_obs.value}").save()
+ if config_cs:
+ if md5_obs:
+ config_cs.md5 = md5_obs.value
+
+ if sha1_obs:
+ config_cs.sha1 = sha1_obs.value
+
+ cs_malware.link_to(config_cs, "file", "file")
+
+ invest.link_to(
+ cs_malware,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']}",
+ )
+ asn_attr = object_cs_beaconing.get_attributes_by_relation("asn")
+ if asn_attr:
+ asn = self.attr_misp_to_yeti(
+ invest,
+ asn_attr[0], # type: ignore
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
+ cs_malware.link_to(asn, "part_of", "asn")
geo = object_cs_beaconing.get("geo")
country = None
@@ -425,20 +460,21 @@ def __import_cs_beaconing(
f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
)
- jar_md5 = object_cs_beaconing["jar-md5"]
- app_c2 = self.attr_misp_to_yeti(
- invest,
- jar_md5,
- description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
- )
+ jar_md5 = object_cs_beaconing.get_attributes_by_relation("jar-md5")
+ if jar_md5:
+ app_c2 = self.attr_misp_to_yeti(
+ invest,
+ jar_md5[0],
+ description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
+ )
cs_malware.link_to(app_c2, "jar-md5", "MD5 of adversary cobaltstrike.jar file")
- watermark = object_cs_beaconing.get("watermark")
+ watermark = object_cs_beaconing.get_attributes_by_relation("watermark")
watermark_yeti = None
if watermark:
watermark_yeti = self.attr_misp_to_yeti(
invest,
- watermark,
+ watermark[0],
description=f"misp {self.misp_event['Orgc']['name']} Cobalstrike Beaconing",
)
watermark_yeti.link_to(app_c2, "watermarked", "watermark")
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index 93b2d7b03..afa05ebaf 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "39",
+ "attribute_count": "51",
"analysis": "0",
- "timestamp": "1709808045",
+ "timestamp": "1709826473",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -975,6 +975,278 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1041",
+ "name": "cs-beacon-config",
+ "meta-category": "file",
+ "description": "Cobalt Strike Beacon Config",
+ "template_uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
+ "template_version": "3",
+ "event_id": "114",
+ "uuid": "9b822b13-01b2-4ea8-bdc5-43ddf783daba",
+ "timestamp": "1709826473",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10659",
+ "type": "url",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "fd5e7d03-fef1-4022-a631-46f0b935747b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "c2",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "https://url.cs",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10660",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "57e19849-9f2b-4ebd-af85-e060a569ee25",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10661",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "d1df1e8e-4741-426c-8113-d5dd8446592f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "license-id",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1234567890",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10662",
+ "type": "md5",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "c7ee8e7b-4ff4-41ad-ab4b-472d63cc6d41",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "md5",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bc67462c4ee665dc75b59b41aa2855f2",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10663",
+ "type": "sha1",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "4286581d-c3e5-4a6e-9652-cb1f6bf90de3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "sha1",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "5a8584501da14a7830e2227dde846ec67ac7f64c",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10664",
+ "type": "sha256",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "c0fcfd8c-5c21-4c51-9944-0a3f88e1daa8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "sha256",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "32a0000b5dc0de6b7e55b661ef220e166007392b90ada97dd4ad3ef0bb265615",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10665",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "200187be-c799-4e09-9e68-6f3d00b18913",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1041",
+ "object_relation": "city",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Paris",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10666",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "944e171f-2a18-4c62-9736-eb680d91dffe",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1041",
+ "object_relation": "geo",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "France",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10667",
+ "type": "md5",
+ "category": "External analysis",
+ "to_ids": true,
+ "uuid": "26c806fc-ea00-488b-85db-177b597da8f8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "jar-md5",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bc67462c4ee665dc75b59b41aa2855f2",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10668",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "0ef44b85-39f5-47c3-9ca1-9f82a1201e2c",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1041",
+ "object_relation": "sector",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Education",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10669",
+ "type": "sha256",
+ "category": "External analysis",
+ "to_ids": true,
+ "uuid": "9e47882d-0819-4475-a1ce-1500c6ec87e3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "vt-sha256",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "32a0000b5dc0de6b7e55b661ef220e166007392b90ada97dd4ad3ef0bb265615",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10670",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "f52a2602-ec55-4fc0-a4a1-387f01881dd2",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "watermark",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "ZERTYUIOPLKJH",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From 67e16ce43adf1f5562f1eb420afa68f23be101c2 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 16:25:14 +0100
Subject: [PATCH 40/69] Update misp_event_objects.json
---
tests/misp_test_data/misp_event_objects.json | 157 ++++++++++++++++++-
1 file changed, 154 insertions(+), 3 deletions(-)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index afa05ebaf..a92a020d2 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "51",
+ "attribute_count": "56",
"analysis": "0",
- "timestamp": "1709826473",
+ "timestamp": "1709911415",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -34,7 +34,33 @@
},
"Attribute": [],
"ShadowAttribute": [],
- "RelatedEvent": [],
+ "RelatedEvent": [
+ {
+ "Event": {
+ "id": "93",
+ "date": "2023-12-06",
+ "threat_level_id": "1",
+ "info": "Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers",
+ "published": false,
+ "uuid": "c9bc99a4-9207-4123-ac75-d02fd88a8138",
+ "analysis": "0",
+ "timestamp": "1701867257",
+ "distribution": "1",
+ "org_id": "1",
+ "orgc_id": "1",
+ "Org": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d"
+ },
+ "Orgc": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d"
+ }
+ }
+ }
+ ],
"Galaxy": [],
"Object": [
{
@@ -1247,6 +1273,131 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1042",
+ "name": "domain-ip",
+ "meta-category": "network",
+ "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
+ "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
+ "template_version": "11",
+ "event_id": "114",
+ "uuid": "896cdc82-64d5-4334-bc9c-31aa85dc55d1",
+ "timestamp": "1709911414",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10671",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "62705eaa-b158-4bed-bdef-a25e11c07f12",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "domain",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10672",
+ "type": "hostname",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "48fbc23b-85cc-485d-90e3-00fcbf63a8a6",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "hostname",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "dns.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10673",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "6df0bd65-edc7-4a40-a2d9-54ae6aa35fdf",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "8.8.8.8",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10674",
+ "type": "port",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "878a65e8-f870-484a-9fb1-36cb484707d8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "port",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "53",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10675",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "6e939061-b00c-410e-82d8-295fb5f1b9db",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1042",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "dns google",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From ef3d6771b8c5db69860a530bacc3d7ad1f6768b2 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 16:46:22 +0100
Subject: [PATCH 41/69] add domain-ip object
---
core/common/misp_to_yeti.py | 59 +++++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index d3ed2d703..1618f19db 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -45,6 +45,7 @@ def __init__(self, misp_event):
"command-line": self.__import_commande_line,
"cookie": self.__import_cookie,
"cs-beacon-config": self.__import_cs_beaconing,
+ "domain-ip": self.__import_domain_ip,
}
def attr_misp_to_yeti(
@@ -479,3 +480,61 @@ def __import_cs_beaconing(
)
watermark_yeti.link_to(app_c2, "watermarked", "watermark")
cs_malware.link_to(watermark_yeti, "watermarked", "watermark")
+
+ def __import_domain_ip(
+ self, invest: entity.Investigation, object_domain_ip: MISPObject
+ ):
+ domain_attr = object_domain_ip.get_attributes_by_relation("domain")
+ ip_attr = object_domain_ip.get_attributes_by_relation("ip")
+ hostname_attr = object_domain_ip.get_attributes_by_relation("hostname")
+ ip_obj = None
+ domain_obj = None
+ hostname_obj = None
+
+ if domain_attr:
+ domain_obj = self.attr_misp_to_yeti(
+ invest,
+ domain_attr[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if ip_attr:
+ ip_obj = self.attr_misp_to_yeti(
+ invest,
+ ip_attr[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if hostname_attr:
+ hostname_obj = self.attr_misp_to_yeti(
+ invest,
+ hostname_attr[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if hostname_obj and domain_obj and ip_obj:
+ domain_obj.link_to(hostname_obj, "resolved_to", "hostname")
+ domain_obj.link_to(ip_obj, "resolved_to", "ip")
+ hostname_obj.link_to(ip_obj, "resolved_to", "ip")
+
+ elif domain_obj and ip_obj and not hostname_obj:
+ domain_obj.link_to(ip_obj, "resolved_to", "ip")
+ elif not domain_obj and ip_obj and hostname_obj:
+ hostname_obj.link_to(ip_obj, "resolved_to", "ip")
+
+ context = {}
+ last_seen = object_domain_ip.get("last-seen")
+ if last_seen:
+ context["last-seen"] = last_seen
+
+ first_seen = object_domain_ip.get("first-seen")
+ if first_seen:
+ context["first-seen"] = first_seen
+
+ description = object_domain_ip.get("text")
+ if description:
+ context["description"] = description
+
+ if hostname_obj:
+ hostname_obj.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+ if domain_obj:
+ domain_obj.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+ if ip_obj:
+ ip_obj.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
From 8e8e63b7afc466fcccaa56d1b1ccb132edf36cc8 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 17:18:44 +0100
Subject: [PATCH 42/69] Update misp_event_objects.json
---
tests/misp_test_data/misp_event_objects.json | 276 ++++++++++++++++++-
1 file changed, 274 insertions(+), 2 deletions(-)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index a92a020d2..e76ab8d5f 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "56",
+ "attribute_count": "68",
"analysis": "0",
- "timestamp": "1709911415",
+ "timestamp": "1709914685",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -1398,6 +1398,278 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1043",
+ "name": "dns-record",
+ "meta-category": "network",
+ "description": "A set of DNS records observed for a specific domain.",
+ "template_uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9",
+ "template_version": "2",
+ "event_id": "114",
+ "uuid": "17f7b3f3-640f-403f-8e02-533157a9dd74",
+ "timestamp": "1709914685",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10676",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "d969a4ce-1ea5-44d4-808f-5178a3acca24",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "a-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "8.8.8.8",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10677",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "978fa705-0408-49c2-8b29-a6c3e3fad348",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "aaaa-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "fe80::dc23:da6a:903a:199a",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10678",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "37221d25-317c-4e16-a051-a74420183def",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "cname-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cname.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10679",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "87dc197d-778c-4dae-9f8c-a6c8620e0a4b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "mx-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "mx.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10680",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "9bfd69fd-65ae-46da-8658-6707a4c61a73",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "ns-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "ns.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10681",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "6a65f02b-aa44-4ede-9bb6-2c4627d4683d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "ptr-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "ptr.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10682",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "5dc15655-ef0c-4ecf-93fe-4907229dde2d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "queried-domain",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10683",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "90ec68a2-bc84-42dd-998d-a531193c4f6b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "soa-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "soa.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10684",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "aee5db87-93bc-4ab9-aae2-dccf8030b025",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "spf-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10685",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "d0d4ecfe-df45-4800-8e2b-8a846c797633",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "srv-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "svr.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10686",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "7e4f909f-76fa-4b88-8dca-350cc19d4ddc",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "test google",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10687",
+ "type": "text",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "b5c51e3c-21a6-4a0e-8ca4-9f11d2c24105",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "txt-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "maliciouuuuuuuus",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From a0c714e5bd1d4499c6c6e4e462cb6dbafb22ece4 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 17:20:02 +0100
Subject: [PATCH 43/69] add dns-record object
---
core/common/misp_to_yeti.py | 142 ++++++++++++++++++++++++++++++++++++
1 file changed, 142 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 1618f19db..46ea77e05 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -538,3 +538,145 @@ def __import_domain_ip(
domain_obj.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
if ip_obj:
ip_obj.add_context(f"misp {self.misp_event['Orgc']['name']}", context)
+
+ def __import_dns_record(
+ self, invest: entity.Investigation, object_dns_record: MISPObject
+ ):
+ queried_domain = object_dns_record.get_attributes_by_relation("queried-domain")[
+ 0
+ ]
+ queried_obj = self.attr_misp_to_yeti(
+ invest,
+ queried_domain,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+
+ a_record = object_dns_record.get_attributes_by_relation("a-record")
+ aaaa_record = object_dns_record.get_attributes_by_relation("aaaa-record")
+ cname_record = object_dns_record.get_attributes_by_relation("cname-record")
+ mx_record = object_dns_record.get_attributes_by_relation("mx-record")
+ ns_record = object_dns_record.get_attributes_by_relation("ns-record")
+ soa_record = object_dns_record.get_attributes_by_relation("soa-record")
+ txt_record = object_dns_record.get_attributes_by_relation("txt-record")
+ spf_record = object_dns_record.get_attributes_by_relation("spf-record")
+ ptr_record = object_dns_record.get_attributes_by_relation("ptr-record")
+ srv_record = object_dns_record.get_attributes_by_relation("srv-record")
+ description = object_dns_record.get_attributes_by_relation("Text")
+
+ context = {}
+ if description:
+ context["description"] = description[0]["value"]
+
+ if a_record:
+ a_red_obj = self.attr_misp_to_yeti(
+ invest,
+ a_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if context:
+ a_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+ queried_obj.link_to(a_red_obj, "resolved_to", "ip")
+ if aaaa_record:
+ aaaa_red_obj = self.attr_misp_to_yeti(
+ invest,
+ aaaa_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if context:
+ aaaa_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+
+ queried_obj.link_to(aaaa_red_obj, "resolved_to", "ip")
+ if cname_record:
+ cname_red_obj = self.attr_misp_to_yeti(
+ invest,
+ cname_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if context:
+ cname_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+ queried_obj.link_to(cname_red_obj, "cname", "hostname")
+ if mx_record:
+ mx_red_obj = self.attr_misp_to_yeti(
+ invest,
+ mx_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if context:
+ mx_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+ queried_obj.link_to(mx_red_obj, "mx", "hostname")
+ if ns_record:
+ ns_red_obj = self.attr_misp_to_yeti(
+ invest,
+ ns_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ if context:
+ ns_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+
+ queried_obj.link_to(ns_red_obj, "ns", "hostname")
+ if soa_record:
+ soa_red_obj = self.attr_misp_to_yeti(
+ invest,
+ soa_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ queried_obj.link_to(soa_red_obj, "soa", "hostname")
+ if context:
+ soa_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+
+ if txt_record:
+ txt_red_obj = self.attr_misp_to_yeti(
+ invest,
+ txt_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ queried_obj.link_to(txt_red_obj, "txt", "hostname")
+ if context:
+ txt_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+ if spf_record:
+ spf_red_obj = self.attr_misp_to_yeti(
+ invest,
+ spf_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ queried_obj.link_to(spf_red_obj, "spf", "hostname")
+ if context:
+ spf_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+ if ptr_record:
+ ptr_red_obj = self.attr_misp_to_yeti(
+ invest,
+ ptr_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ queried_obj.link_to(ptr_red_obj, "ptr", "hostname")
+ if context:
+ ptr_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
+ if srv_record:
+ srv_red_obj = self.attr_misp_to_yeti(
+ invest,
+ srv_record[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ queried_obj.link_to(srv_red_obj, "srv", "hostname")
+ if context:
+ srv_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
From ad59591b57787f543ec6af4cab56192c66bb9a02 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 18:37:32 +0100
Subject: [PATCH 44/69] add attribute path
---
core/schemas/observables/path.py | 5 +++++
tests/schemas/observable.py | 14 +++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/core/schemas/observables/path.py b/core/schemas/observables/path.py
index 4d40198d9..938e64d5b 100644
--- a/core/schemas/observables/path.py
+++ b/core/schemas/observables/path.py
@@ -1,3 +1,4 @@
+from datetime import datetime
from typing import Literal
from core.schemas import observable
@@ -5,6 +6,10 @@
class Path(observable.Observable):
type: Literal[observable.ObservableType.path] = observable.ObservableType.path
+ creation_time: datetime | None
+ modification_time: datetime | None
+ access_time: datetime | None
+ path_encoding: str | None
observable.TYPE_MAPPING[observable.ObservableType.path] = Path
diff --git a/tests/schemas/observable.py b/tests/schemas/observable.py
index 3b0d07b75..c652afee5 100644
--- a/tests/schemas/observable.py
+++ b/tests/schemas/observable.py
@@ -396,7 +396,19 @@ def test_create_md5(self) -> None:
def test_create_path(self) -> None:
"""Tests creating a path."""
- observable = path.Path(value="/var/test").save()
+ observable = path.Path(value="/var/test")
+ observable.creation_time = datetime.datetime(
+ 2023, 1, 1, tzinfo=datetime.timezone.utc
+ )
+ observable.modification_time = datetime.datetime(
+ 2023, 1, 1, tzinfo=datetime.timezone.utc
+ )
+ observable.access_time = datetime.datetime(
+ 2023, 1, 1, tzinfo=datetime.timezone.utc
+ )
+ observable.path_encoding = "utf-8"
+ observable.save()
+
self.assertIsNotNone(observable.id)
self.assertEqual(observable.value, "/var/test")
self.assertIsInstance(observable, path.Path)
From b65e5a6507a00e4d6b74b8186795eed0743a89e2 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 18:40:51 +0100
Subject: [PATCH 45/69] fix pydantic
---
core/schemas/observables/path.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/core/schemas/observables/path.py b/core/schemas/observables/path.py
index 938e64d5b..fa88a9859 100644
--- a/core/schemas/observables/path.py
+++ b/core/schemas/observables/path.py
@@ -6,10 +6,10 @@
class Path(observable.Observable):
type: Literal[observable.ObservableType.path] = observable.ObservableType.path
- creation_time: datetime | None
- modification_time: datetime | None
- access_time: datetime | None
- path_encoding: str | None
+ creation_time: datetime | None = None
+ modification_time: datetime | None = None
+ access_time: datetime | None = None
+ path_encoding: str | None = None
observable.TYPE_MAPPING[observable.ObservableType.path] = Path
From 65014792c3c470e31e3b3156cd55c318881474fd Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 18:45:40 +0100
Subject: [PATCH 46/69] Update observable.py
---
tests/schemas/observable.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/schemas/observable.py b/tests/schemas/observable.py
index c652afee5..1d1891caf 100644
--- a/tests/schemas/observable.py
+++ b/tests/schemas/observable.py
@@ -407,7 +407,7 @@ def test_create_path(self) -> None:
2023, 1, 1, tzinfo=datetime.timezone.utc
)
observable.path_encoding = "utf-8"
- observable.save()
+ observable=observable.save()
self.assertIsNotNone(observable.id)
self.assertEqual(observable.value, "/var/test")
From 35d994e80e683391a04c49d1128cbbfd839b6fce Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Fri, 8 Mar 2024 18:47:42 +0100
Subject: [PATCH 47/69] Update observable.py
---
tests/schemas/observable.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/schemas/observable.py b/tests/schemas/observable.py
index 1d1891caf..c0214fd81 100644
--- a/tests/schemas/observable.py
+++ b/tests/schemas/observable.py
@@ -407,7 +407,7 @@ def test_create_path(self) -> None:
2023, 1, 1, tzinfo=datetime.timezone.utc
)
observable.path_encoding = "utf-8"
- observable=observable.save()
+ observable = observable.save()
self.assertIsNotNone(observable.id)
self.assertEqual(observable.value, "/var/test")
From 45ae8c83219a696ee666db6628e89eeeb9900f3d Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Mon, 11 Mar 2024 15:35:51 +0100
Subject: [PATCH 48/69] Update misp_event_objects.json
---
tests/misp_test_data/misp_event_objects.json | 129 ++++++++++++++++++-
1 file changed, 127 insertions(+), 2 deletions(-)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index e76ab8d5f..ae06841f4 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "68",
+ "attribute_count": "73",
"analysis": "0",
- "timestamp": "1709914685",
+ "timestamp": "1710167623",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -1670,6 +1670,131 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1044",
+ "name": "directory",
+ "meta-category": "file",
+ "description": "Directory object describing a directory with meta-information",
+ "template_uuid": "23ac6a02-1017-4ea6-a4df-148ed563988d",
+ "template_version": "1",
+ "event_id": "114",
+ "uuid": "ec79de9c-f711-4883-ac62-e2a46637a0fd",
+ "timestamp": "1710167623",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10688",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "125fb030-6e34-439c-a335-eb894b315fb1",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1044",
+ "object_relation": "path",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "/var/lib/mechant",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10689",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "8db2f816-950d-4848-bc63-8ee5cda387c1",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1044",
+ "object_relation": "access-time",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-11T14:32:39.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10690",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "1e757cae-d0b0-478f-96ab-058b8a75e82d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1044",
+ "object_relation": "creation-time",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-11T14:32:39.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10691",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "769bcd9e-738c-4c8b-92a1-c48ade6009a3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1044",
+ "object_relation": "modification-time",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-11T14:32:39.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10692",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "9f98c812-a9c2-4b49-b139-ef301037138b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1044",
+ "object_relation": "path-encoding",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "BRF",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From 9067348b5112e77ead81bd42085a2ca99296e3f7 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 11 Mar 2024 15:46:58 +0100
Subject: [PATCH 49/69] add directory
---
core/common/misp_to_yeti.py | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 46ea77e05..ec4950eef 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -29,6 +29,7 @@
"AS": observable.ObservableType.asn,
"cookie": observable.ObservableType.cookie,
"other": observable.ObservableType.generic,
+ "path": observable.ObservableType.path,
}
@@ -46,6 +47,8 @@ def __init__(self, misp_event):
"cookie": self.__import_cookie,
"cs-beacon-config": self.__import_cs_beaconing,
"domain-ip": self.__import_domain_ip,
+ "dns-record": self.__import_dns_record,
+ "directory": self.__import_directory,
}
def attr_misp_to_yeti(
@@ -680,3 +683,26 @@ def __import_dns_record(
srv_red_obj.add_context(
f"misp {self.misp_event['Orgc']['name']}", context
)
+
+ def __import_directory(self, invest: entity.Investigation, obj_path: MISPObject):
+ path_attr = obj_path.get_attributes_by_relation("path")[0]
+ path = observable.path.Path(value=path_attr["value"])
+
+ creation_time = obj_path.get_attributes_by_relation("creation-time")
+ if creation_time:
+ path.creation_time = creation_time[0]["value"]
+
+ modification_time = obj_path.get_attributes_by_relation("modification-time")
+ if modification_time:
+ path.modification_time = modification_time[0]["value"]
+ access_time = obj_path.get_attributes_by_relation("access-time")
+ if access_time:
+ path.access_time = access_time[0]["value"]
+
+ path_encoding = obj_path.get_attributes_by_relation("path-encoding")
+ if path_encoding:
+ path.path_encoding = path_encoding[0]["value"]
+ path=path.save()
+ invest.link_to(
+ path, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
From 0278c4d31cecd5e24899d163e2f8c02cd20321c8 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 11 Mar 2024 15:47:28 +0100
Subject: [PATCH 50/69] ruff
---
core/common/misp_to_yeti.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index ec4950eef..a530b4a19 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -702,7 +702,7 @@ def __import_directory(self, invest: entity.Investigation, obj_path: MISPObject)
path_encoding = obj_path.get_attributes_by_relation("path-encoding")
if path_encoding:
path.path_encoding = path_encoding[0]["value"]
- path=path.save()
+ path = path.save()
invest.link_to(
path, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
)
From 1d7639e62f5c7d62014c60c4769687e747c3af31 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 11 Mar 2024 18:18:26 +0100
Subject: [PATCH 51/69] add email
---
core/common/misp_to_yeti.py | 69 +++++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index a530b4a19..b8522617a 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -706,3 +706,72 @@ def __import_directory(self, invest: entity.Investigation, obj_path: MISPObject)
invest.link_to(
path, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
)
+
+ def __import_email(self, invest: entity.Investigation, object_email: MISPObject):
+ email_attr = object_email.get_attributes_by_relation("email")[0]
+ email = observable.email.Email(value=email_attr["value"]).save()
+ invest.link_to(
+ email, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
+ )
+ bbc_email = object_email.get_attributes_by_relation("bcc-email")
+ if bbc_email:
+ for email_bcc in bbc_email:
+ email_bcc = self.attr_misp_to_yeti(
+ invest,
+ email_bcc,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(email_bcc, "bcc", "email")
+
+ cc_attr = object_email.get_attributes_by_relation("cc-email")
+ if cc_attr:
+ for email_cc in cc_attr:
+ email_cc = self.attr_misp_to_yeti(
+ invest,
+ email_cc,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(email_cc, "cc", "email")
+
+ from_attr = object_email.get_attributes_by_relation("from")
+ if from_attr:
+ from_email = self.attr_misp_to_yeti(
+ invest,
+ from_attr[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(from_email, "from", "email")
+
+ to_attr = object_email.get_attributes_by_relation("to")
+ if to_attr:
+ for to in to_attr:
+ email_to = self.attr_misp_to_yeti(
+ invest,
+ to,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(email_to, "to", "email")
+
+ from_domain_attrs = object_email.get_attributes_by_relation("from-domain")
+ if from_domain_attrs:
+ from_domain = self.attr_misp_to_yeti(
+ invest,
+ from_domain_attrs[0],
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(from_domain, "from", "domain")
+
+ ips_src_attr = object_email.get_attributes_by_relation("ip-src")
+ if ips_src_attr:
+ for ip_attr in ips_src_attr:
+ ip_src = self.attr_misp_to_yeti(
+ invest,
+ ip_attr,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(ip_src, "sent_from", "ip")
+
+ subject_attr = object_email.get_attributes_by_relation("subject")
+ if subject_attr:
+ for index, subject in enumerate(subject_attr):
+ email.add_context("misp", {f"subject {index}": subject["value"]})
From f4660b67321c13914366579a4f1fd858cc749fa4 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 08:58:07 +0100
Subject: [PATCH 52/69] Update misp_event_objects.json
---
tests/misp_test_data/misp_event_objects.json | 465 ++++++++++++++++++-
1 file changed, 463 insertions(+), 2 deletions(-)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index ae06841f4..9afb6adf0 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -8,9 +8,9 @@
"info": "test for yeti",
"published": false,
"uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "73",
+ "attribute_count": "94",
"analysis": "0",
- "timestamp": "1710167623",
+ "timestamp": "1710748448",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
@@ -1795,6 +1795,467 @@
"ShadowAttribute": []
}
]
+ },
+ {
+ "id": "1045",
+ "name": "email",
+ "meta-category": "network",
+ "description": "Email object describing an email with meta-information",
+ "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
+ "template_version": "19",
+ "event_id": "114",
+ "uuid": "811b697d-e19d-4fe1-a396-1967c1c6f388",
+ "timestamp": "1710748448",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10694",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "af3a24c5-25d8-4696-9752-194ba8c64f9e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "reply-to-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "replay-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10695",
+ "type": "email-reply-to",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "655d763a-9512-4fa3-8ec3-6dced7de19f6",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "reply-to",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "reply@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10696",
+ "type": "email-subject",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "54df3237-4668-4659-be80-c1473e8d2233",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "subject",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "subject test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10697",
+ "type": "email-dst",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "4b772548-d324-4f14-8ffa-76350deb37a8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "bcc",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bbc@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10698",
+ "type": "email-dst",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "269ee214-63f1-4ffb-8c11-6a74a8ffb18e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "to",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "to@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10699",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "2cd432b5-7326-414f-8cd4-55b4d3efdd62",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "to-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "to-display-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10700",
+ "type": "domain",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "7580354c-82e4-4613-a2f0-04c35f032e54",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "from-domain",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "from.test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10701",
+ "type": "email-src-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "9f5d7efc-c73b-42f0-9d76-bb2136398c32",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "from-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "from-display-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10702",
+ "type": "email-src",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "d927fddc-884d-4d2d-81b6-eb9a6a8c406d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "from",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "from@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10703",
+ "type": "email-body",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "0fba1948-13a1-4001-8ab3-d001af7aef9e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "email-body",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "blablablaba",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10704",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "40589ccd-a3cb-4a3e-a90e-adf53e10c9f1",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "cc-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cc-display-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10705",
+ "type": "email-dst",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "bc79c5fe-2a44-496c-8e4b-d2d368a30947",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "cc",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cc@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10706",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "f1135dd9-5a0b-402b-802f-b2089b7c0014",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "bcc-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bcc-display-name",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10707",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "fa53a562-feb8-4d24-ad41-e2289d8cb238",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "user-agent",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10708",
+ "type": "email-thread-index",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "c4e5f653-77a5-421a-acb6-532d6c054d1b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "thread-index",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1235",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10709",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "72a78538-3663-4420-bbf5-7cdd17fdc13f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "send-date",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-18T00:00:00.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10710",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "8dc24960-2f20-4970-9732-f4216fad2328",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "received-header-ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10711",
+ "type": "hostname",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "36ac2aa4-6b14-41ec-bbf6-4626839e734d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "received-header-hostname",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "received.test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10712",
+ "type": "email-message-id",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "b2b8e0b3-7050-4371-a218-d00b6aad4d26",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "message-id",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1235",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10713",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "cf825b17-9c0c-4e4d-ac22-a47fdec5d79b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "ip-src",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10714",
+ "type": "email-header",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "209dbd9b-0bb9-408c-9850-a1f5a721cdc5",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "header",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "test header",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
}
],
"EventReport": [],
From 8241b90a7006a0fab4330ba5a21d59889d6fdd4e Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 09:52:45 +0100
Subject: [PATCH 53/69] add email import and fixes errors import
---
core/common/misp_to_yeti.py | 64 +++++++++++++++++++++++++------------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index b8522617a..98c17fac2 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -49,6 +49,7 @@ def __init__(self, misp_event):
"domain-ip": self.__import_domain_ip,
"dns-record": self.__import_dns_record,
"directory": self.__import_directory,
+ "email": self.__import_email,
}
def attr_misp_to_yeti(
@@ -57,21 +58,27 @@ def attr_misp_to_yeti(
attribute: MISPAttribute,
description: str = "",
) -> observable.Observable: # type: ignore
+ obs_yeti = None
if attribute.get("type") in MISP_Attribute_TO_IMPORT:
obs_yeti = observable.TYPE_MAPPING[
MISP_Attribute_TO_IMPORT[attribute.get("type")] # type: ignore
](value=attribute.get("value")).save()
+ else:
+ try:
+ obs_yeti = observable.generic_observable.GenericObservable(
+ value=attribute.get("value")
+ ).save() # type: ignore
+ except ValueError:
+ logging.error(f"Invalid value: {attribute.get('value')}")
+
+ if obs_yeti:
tags = attribute.get("Tag")
if tags:
obs_yeti.tag([t["name"] for t in tags])
invest.link_to(obs_yeti, "imported_by_misp", description)
- print(f"Attribute {attribute.get('value')} imported")
+ logging.info(f"Attribute {attribute.get('value')} imported")
- else:
- obs_yeti = observable.generic_observable.GenericObservable(
- value=attribute.get("value")
- ).save() # type: ignore
- return obs_yeti
+ return obs_yeti # type: ignore
def add_context_by_misp(
self, attribute_misp: MISPAttribute, obs_yeti: observable.Observable
@@ -91,7 +98,7 @@ def add_obs(self, invest: entity.Investigation, obs_misp: MISPObject):
self.add_context_by_misp(attr, obs_yeti)
yield obs_yeti
else:
- print(f"Attribute {attr} not imported")
+ logging.info(f"Attribute {attr} not imported")
def obs_misp_to_yeti(self, invest: entity.Investigation, object_misp: MISPObject):
if object_misp["name"] in self.func_by_type:
@@ -120,7 +127,7 @@ def misp_to_yeti(self):
if obs_yeti:
self.add_context_by_misp(attribute_misp, obs_yeti)
else:
- print(f"Attribute {attribute_misp} not imported")
+ logging.info(f"Attribute {attribute_misp} not imported")
invest.save()
def __import_av_signature(
@@ -645,11 +652,13 @@ def __import_dns_record(
txt_record[0],
description=f"misp {self.misp_event['Orgc']['name']}",
)
- queried_obj.link_to(txt_red_obj, "txt", "hostname")
- if context:
- txt_red_obj.add_context(
- f"misp {self.misp_event['Orgc']['name']}", context
- )
+
+ if txt_red_obj:
+ queried_obj.link_to(txt_red_obj, "txt", "hostname")
+ if context:
+ txt_red_obj.add_context(
+ f"misp {self.misp_event['Orgc']['name']}", context
+ )
if spf_record:
spf_red_obj = self.attr_misp_to_yeti(
invest,
@@ -708,7 +717,7 @@ def __import_directory(self, invest: entity.Investigation, obj_path: MISPObject)
)
def __import_email(self, invest: entity.Investigation, object_email: MISPObject):
- email_attr = object_email.get_attributes_by_relation("email")[0]
+ email_attr = object_email.get_attributes_by_relation("from")[0]
email = observable.email.Email(value=email_attr["value"]).save()
invest.link_to(
email, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
@@ -733,13 +742,6 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
)
email.link_to(email_cc, "cc", "email")
- from_attr = object_email.get_attributes_by_relation("from")
- if from_attr:
- from_email = self.attr_misp_to_yeti(
- invest,
- from_attr[0],
- description=f"misp {self.misp_event['Orgc']['name']}",
- )
email.link_to(from_email, "from", "email")
to_attr = object_email.get_attributes_by_relation("to")
@@ -775,3 +777,23 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
if subject_attr:
for index, subject in enumerate(subject_attr):
email.add_context("misp", {f"subject {index}": subject["value"]})
+
+ send_date = object_email.get_attributes_by_relation("send-date")
+ if send_date:
+ email.add_context("misp", {"send-date": send_date[0]["value"]})
+
+ received_date = object_email.get_attributes_by_relation("received-date")
+ if received_date:
+ email.add_context("misp", {"received-date": received_date[0]["value"]})
+
+ user_agent_attr = object_email.get_attributes_by_relation("user-agent")
+ if user_agent_attr:
+ user_agent_obs = observable.user_agent.UserAgent(
+ value=user_agent_attr[0]["value"]
+ ).save()
+ invest.link_to(
+ user_agent_obs,
+ "imported_by_misp",
+ f"misp {self.misp_event['Orgc']['name']}",
+ )
+ email.link_to(user_agent_obs, "user-agent", "user-agent")
From cde97df03ed1edd4676bc118044a5d7d470c06bc Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 09:56:29 +0100
Subject: [PATCH 54/69] fix error name
---
core/common/misp_to_yeti.py | 2 --
1 file changed, 2 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 98c17fac2..6ba460706 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -742,8 +742,6 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
)
email.link_to(email_cc, "cc", "email")
- email.link_to(from_email, "from", "email")
-
to_attr = object_email.get_attributes_by_relation("to")
if to_attr:
for to in to_attr:
From f41b680104e6f1aa3cff1ee8135f4175a7b39130 Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 14:08:47 +0100
Subject: [PATCH 55/69] update emails objects
---
core/common/misp_to_yeti.py | 167 +++++++++++++++++++++++++++++-------
1 file changed, 137 insertions(+), 30 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 6ba460706..e26d6bdf8 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -717,72 +717,134 @@ def __import_directory(self, invest: entity.Investigation, obj_path: MISPObject)
)
def __import_email(self, invest: entity.Investigation, object_email: MISPObject):
- email_attr = object_email.get_attributes_by_relation("from")[0]
- email = observable.email.Email(value=email_attr["value"]).save()
- invest.link_to(
- email, "imported_by_misp", f"misp {self.misp_event['Orgc']['name']}"
- )
+ from_email_list = []
+ list_to_emails = []
+ list_cc_emails = []
+ list_bbc_emails = []
+ from_domains_list = []
+ list_ips_src = []
+ list_to_display_names = []
+ attachment_list = []
+ from_attr = object_email.get_attributes_by_relation("from")
+
+ if from_attr:
+ from_email_list = [
+ self.attr_misp_to_yeti(
+ invest,
+ email_from,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ for email_from in from_attr
+ ]
+
bbc_email = object_email.get_attributes_by_relation("bcc-email")
+
if bbc_email:
- for email_bcc in bbc_email:
- email_bcc = self.attr_misp_to_yeti(
+ list_bbc_emails = [
+ self.attr_misp_to_yeti(
invest,
email_bcc,
description=f"misp {self.misp_event['Orgc']['name']}",
)
- email.link_to(email_bcc, "bcc", "email")
+ for email_bcc in bbc_email
+ ]
cc_attr = object_email.get_attributes_by_relation("cc-email")
if cc_attr:
- for email_cc in cc_attr:
- email_cc = self.attr_misp_to_yeti(
+ list_cc_emails = [
+ self.attr_misp_to_yeti(
invest,
email_cc,
description=f"misp {self.misp_event['Orgc']['name']}",
)
- email.link_to(email_cc, "cc", "email")
+ for email_cc in cc_attr
+ ]
to_attr = object_email.get_attributes_by_relation("to")
if to_attr:
- for to in to_attr:
- email_to = self.attr_misp_to_yeti(
+ list_to_emails = [
+ self.attr_misp_to_yeti(
invest,
- to,
+ email_to,
description=f"misp {self.misp_event['Orgc']['name']}",
)
- email.link_to(email_to, "to", "email")
+ for email_to in to_attr
+ ]
+ to_display_name_attr = object_email.get_attributes_by_relation(
+ "to-display-name"
+ )
+ if to_display_name_attr:
+ list_to_display_names = [
+ observable.generic_observable.GenericObservable(
+ value=display_name['value']
+ ).save()
+ for display_name in to_display_name_attr
+ ]
+ for email in list_to_emails:
+ for display_name in list_to_display_names:
+ email.link_to(display_name, "display_name", "display_name")
+
from_domain_attrs = object_email.get_attributes_by_relation("from-domain")
if from_domain_attrs:
- from_domain = self.attr_misp_to_yeti(
- invest,
- from_domain_attrs[0],
- description=f"misp {self.misp_event['Orgc']['name']}",
- )
- email.link_to(from_domain, "from", "domain")
+ from_domains_list = [
+ self.attr_misp_to_yeti(
+ invest,
+ domain,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ for domain in from_domain_attrs
+ ]
ips_src_attr = object_email.get_attributes_by_relation("ip-src")
if ips_src_attr:
- for ip_attr in ips_src_attr:
- ip_src = self.attr_misp_to_yeti(
+ list_ips_src = [
+ self.attr_misp_to_yeti(
invest,
- ip_attr,
+ ip_src,
description=f"misp {self.misp_event['Orgc']['name']}",
)
- email.link_to(ip_src, "sent_from", "ip")
+ for ip_src in ips_src_attr
+ ]
+
subject_attr = object_email.get_attributes_by_relation("subject")
+ ## Add subjects for all emails
if subject_attr:
for index, subject in enumerate(subject_attr):
- email.add_context("misp", {f"subject {index}": subject["value"]})
-
+ for email in from_email_list:
+ email.add_context("misp", {f"subject {index}": subject["value"]})
+ for email in list_to_emails:
+ email.add_context("misp", {f"subject {index}": subject["value"]})
+ for email in list_cc_emails:
+ email.add_context("misp", {"fsubject {index}": subject["value"]})
+ for email in list_bbc_emails:
+ email.add_context("misp", {f"subject {index}": subject["value"]})
+
+ ## Add send date to all emails
send_date = object_email.get_attributes_by_relation("send-date")
if send_date:
- email.add_context("misp", {"send-date": send_date[0]["value"]})
+ for email in from_email_list:
+ email.add_context("misp", {"send-date": send_date[0]["value"]})
+ for email in list_to_emails:
+ email.add_context("misp", {"send-date": send_date[0]["value"]})
+ for email in list_cc_emails:
+ email.add_context("misp", {"send-date": send_date[0]["value"]})
+ for email in list_bbc_emails:
+ email.add_context("misp", {"send-date": send_date[0]["value"]})
received_date = object_email.get_attributes_by_relation("received-date")
+
+ ## add receive date to all emails
if received_date:
- email.add_context("misp", {"received-date": received_date[0]["value"]})
+ for email in from_email_list:
+ email.add_context("misp", {"received-date": received_date[0]["value"]})
+ for email in list_to_emails:
+ email.add_context("misp", {"received-date": received_date[0]["value"]})
+ for email in list_cc_emails:
+ email.add_context("misp", {"received-date": received_date[0]["value"]})
+ for email in list_bbc_emails:
+ email.add_context("misp", {"received-date": received_date[0]["value"]})
user_agent_attr = object_email.get_attributes_by_relation("user-agent")
if user_agent_attr:
@@ -794,4 +856,49 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
"imported_by_misp",
f"misp {self.misp_event['Orgc']['name']}",
)
- email.link_to(user_agent_obs, "user-agent", "user-agent")
+
+ attachment_attr = object_email.get_attributes_by_relation("attachment")
+ if attachment_attr:
+ attachment_list = [
+ self.attr_misp_to_yeti(
+ invest,
+ attachment,
+ description=f"misp {self.misp_event['Orgc']['name']}",
+ )
+ for attachment in attachment_attr
+ ]
+
+ for email in from_email_list:
+ email.link_to(user_agent_obs, "sent_by", "user_agent")
+
+ ## add attachement at all emails
+ for attachment in attachment_list:
+ for email in list_to_emails:
+ email.link_to(attachment, "sent_to", "attachment")
+ for email in list_cc_emails:
+ email.link_to(attachment, "sent_to", "attachment")
+ for email in list_bbc_emails:
+ email.link_to(attachment, "sent_to", "attachment")
+ for email in from_email_list:
+ email.link_to(attachment, "sent_by", "attachment")
+
+ ## add IP src to ips_src
+ for email in from_email_list:
+ for ip in list_ips_src:
+ email.link_to(ip, "sent_by", "ip")
+
+ # Create Link between emails
+ for email_from in from_email_list:
+ for email_to in list_to_emails:
+ email_from.link_to(email_to, "sent_to", "email")
+ for email_cc in list_cc_emails:
+ for email_to in list_to_emails:
+ email_cc.link_to(email_to, "sent_to", "email")
+
+ for email_bcc in list_bbc_emails:
+ for email_to in list_to_emails:
+ email_bcc.link_to(email_to, "sent_to", "email")
+
+ for email_bcc in list_bbc_emails:
+ for email_to in list_to_emails:
+ email_bcc.link_to(email_to, "sent_to", "email")
From cd3d5b77b806303d2bfbd46028e851cd5839a15f Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 14:09:33 +0100
Subject: [PATCH 56/69] fix linting
---
core/common/misp_to_yeti.py | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index e26d6bdf8..553fc7277 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -776,15 +776,14 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
if to_display_name_attr:
list_to_display_names = [
observable.generic_observable.GenericObservable(
- value=display_name['value']
-
+ value=display_name["value"]
).save()
for display_name in to_display_name_attr
]
for email in list_to_emails:
for display_name in list_to_display_names:
email.link_to(display_name, "display_name", "display_name")
-
+
from_domain_attrs = object_email.get_attributes_by_relation("from-domain")
if from_domain_attrs:
from_domains_list = [
@@ -807,7 +806,6 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
for ip_src in ips_src_attr
]
-
subject_attr = object_email.get_attributes_by_relation("subject")
## Add subjects for all emails
if subject_attr:
@@ -820,7 +818,7 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
email.add_context("misp", {"fsubject {index}": subject["value"]})
for email in list_bbc_emails:
email.add_context("misp", {f"subject {index}": subject["value"]})
-
+
## Add send date to all emails
send_date = object_email.get_attributes_by_relation("send-date")
if send_date:
@@ -834,7 +832,7 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
email.add_context("misp", {"send-date": send_date[0]["value"]})
received_date = object_email.get_attributes_by_relation("received-date")
-
+
## add receive date to all emails
if received_date:
for email in from_email_list:
@@ -881,12 +879,12 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
email.link_to(attachment, "sent_to", "attachment")
for email in from_email_list:
email.link_to(attachment, "sent_by", "attachment")
-
+
## add IP src to ips_src
for email in from_email_list:
for ip in list_ips_src:
email.link_to(ip, "sent_by", "ip")
-
+
# Create Link between emails
for email_from in from_email_list:
for email_to in list_to_emails:
@@ -894,11 +892,11 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
for email_cc in list_cc_emails:
for email_to in list_to_emails:
email_cc.link_to(email_to, "sent_to", "email")
-
+
for email_bcc in list_bbc_emails:
for email_to in list_to_emails:
email_bcc.link_to(email_to, "sent_to", "email")
-
+
for email_bcc in list_bbc_emails:
for email_to in list_to_emails:
email_bcc.link_to(email_to, "sent_to", "email")
From 7bff7a7092fd504aa6d2bc1aaccfcf2ab57ff32e Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 14:12:03 +0100
Subject: [PATCH 57/69] fix variable never used
---
core/common/misp_to_yeti.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index 553fc7277..e1f34db07 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -805,6 +805,9 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
)
for ip_src in ips_src_attr
]
+ for domain in from_domains_list:
+ for ip in list_ips_src:
+ domain.link_to(ip, "misp", "ip")
subject_attr = object_email.get_attributes_by_relation("subject")
## Add subjects for all emails
From 4ab560c03428c569e472840cf16fca8710a3639b Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 14:32:51 +0100
Subject: [PATCH 58/69] add exploit entity
---
core/schemas/entity.py | 15 +++++++++++++++
tests/schemas/entity.py | 16 ++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
index 4cc254845..8bee1d23d 100644
--- a/core/schemas/entity.py
+++ b/core/schemas/entity.py
@@ -25,6 +25,7 @@ class EntityType(str, Enum):
vulnerability = "vulnerability"
course_of_action = "course-of-action"
location = "location"
+ exploit = "exploit"
class Entity(YetiTagModel, database_arango.ArangoYetiConnector):
@@ -190,6 +191,17 @@ class Vulnerability(Entity):
reference: str = ""
+class Exploit(Entity):
+ _type_filter: ClassVar[str] = EntityType.exploit
+ type: Literal[EntityType.exploit] = EntityType.exploit
+
+ reference: str = ""
+ description: str = ""
+ level: str = ""
+ platform: str = ""
+ accessibility: str = ""
+
+
class CourseOfAction(Entity):
_type_filter: ClassVar[str] = EntityType.course_of_action
type: Literal[EntityType.course_of_action] = EntityType.course_of_action
@@ -211,6 +223,7 @@ class CourseOfAction(Entity):
EntityType.threat_actor: ThreatActor,
EntityType.tool: Tool,
EntityType.vulnerability: Vulnerability,
+ EntityType.exploit: Exploit,
}
TYPE_VALIDATOR_MAP = {}
@@ -249,6 +262,7 @@ def validate_entity(ent: Entity) -> bool:
| ThreatActor
| Tool
| Vulnerability
+ | Exploit
)
@@ -266,4 +280,5 @@ def validate_entity(ent: Entity) -> bool:
| Type[ThreatActor]
| Type[Tool]
| Type[Vulnerability]
+ | Type[Exploit]
)
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index 0970281e2..a4e38e66c 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -6,6 +6,7 @@
from core.schemas.entity import (
AttackPattern,
Entity,
+ Exploit,
Location,
Malware,
ThreatActor,
@@ -142,3 +143,18 @@ def test_location(self):
location.set_country_code_by_name(location.name)
self.assertEqual(location.name, "France")
self.assertEqual(location.country_code, 250)
+
+ def test_exploit(self):
+ exploit = Exploit(name="Exploit CVE-1337-4242").save()
+ exploit.accessibility = "public"
+ exploit.reference = "https://example.com"
+ exploit.description = "This is a test"
+ exploit.platform = "Windows"
+ exploit.level = "high"
+ exploit = exploit.save()
+ self.assertEqual(exploit.name, "Exploit CVE-1337-4242")
+ self.assertEqual(exploit.accessibility, "public")
+ self.assertEqual(exploit.reference, "https://example.com")
+ self.assertEqual(exploit.description, "This is a test")
+ self.assertEqual(exploit.platform, "Windows")
+ self.assertEqual(exploit.level, "high")
From 3305fb79922205c124f2c0449676a53af2b442aa Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 15:32:15 +0100
Subject: [PATCH 59/69] change attr in exploit
---
core/schemas/entity.py | 2 +-
tests/schemas/entity.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
index 8bee1d23d..2b29e553a 100644
--- a/core/schemas/entity.py
+++ b/core/schemas/entity.py
@@ -198,7 +198,7 @@ class Exploit(Entity):
reference: str = ""
description: str = ""
level: str = ""
- platform: str = ""
+ software: str = ""
accessibility: str = ""
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index a4e38e66c..537cb3996 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -156,5 +156,5 @@ def test_exploit(self):
self.assertEqual(exploit.accessibility, "public")
self.assertEqual(exploit.reference, "https://example.com")
self.assertEqual(exploit.description, "This is a test")
- self.assertEqual(exploit.platform, "Windows")
+ self.assertEqual(exploit.software, "Windows")
self.assertEqual(exploit.level, "high")
From 9c28a69e2d484aa0696df3725c27da772f850ebe Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 15:32:42 +0100
Subject: [PATCH 60/69] fix tests
---
tests/schemas/entity.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/schemas/entity.py b/tests/schemas/entity.py
index 537cb3996..07c6e8603 100644
--- a/tests/schemas/entity.py
+++ b/tests/schemas/entity.py
@@ -149,7 +149,7 @@ def test_exploit(self):
exploit.accessibility = "public"
exploit.reference = "https://example.com"
exploit.description = "This is a test"
- exploit.platform = "Windows"
+ exploit.software = "Windows"
exploit.level = "high"
exploit = exploit.save()
self.assertEqual(exploit.name, "Exploit CVE-1337-4242")
From 4f5f11dcc04f1e5a84b611a9e4ea26f3f7d31a6a Mon Sep 17 00:00:00 2001
From: Sebdraven <sebdraven@protonmail.com>
Date: Mon, 18 Mar 2024 23:30:26 +0100
Subject: [PATCH 61/69] add exploit poc
---
core/common/misp_to_yeti.py | 93 +++++++++++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index e1f34db07..da4f080d8 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -903,3 +903,96 @@ def __import_email(self, invest: entity.Investigation, object_email: MISPObject)
for email_bcc in list_bbc_emails:
for email_to in list_to_emails:
email_bcc.link_to(email_to, "sent_to", "email")
+
+ ## to detail the use case
+ def __import_exploit_poc(
+ self, invest: entity.Investigation, object_exploit_poc: MISPObject
+ ):
+ poc_attr = object_exploit_poc.get_attributes_by_relation("poc")
+
+ def __import_exploit(
+ self, invest: entity.Investigation, object_exploit: MISPObject
+ ):
+ exploit_attr = object_exploit.get_attributes_by_relation("exploit")
+ filename_attr = object_exploit.get_attributes_by_relation("filename")
+ exploit_as_attachment = object_exploit.get_attributes_by_relation(
+ "exploit-as-attachment"
+ )
+
+ exploit_obj = None
+ if exploit_attr:
+ exploit_obj = entity.Exploit(name=exploit_attr[0]["value"]).save()
+ for file_attr in filename_attr:
+ file_obj = observable.file.File(value=filename_attr[0]["value"]).save()
+ exploit_obj.link_to(file_obj, "exploit", "file")
+ if exploit_as_attachment:
+ exploit_as_att_obj = observable.generic_observable.GenericObservable(
+ value=exploit_as_attachment[0]["value"]
+ ).save()
+ exploit_obj.link_to(exploit_as_att_obj, "exploit", "file")
+
+ elif not exploit_obj and filename_attr:
+ exploit_obj = entity.Exploit(name=filename_attr[0]["value"]).save()
+ for file_attr in filename_attr[1:]:
+ file_obj = observable.file.File(value=file_attr["value"]).save()
+ exploit_obj.link_to(file_obj, "exploit", "file")
+ if exploit_as_attachment:
+ exploit_as_att_obj = observable.generic_observable.GenericObservable(
+ value=exploit_as_attachment[0]["value"]
+ ).save()
+ exploit_obj.link_to(exploit_as_att_obj, "exploit", "file")
+
+ elif not exploit_obj and exploit_as_attachment:
+ exploit_obj = entity.Exploit(name=exploit_as_attachment[0]["value"])
+ for file_attr in filename_attr:
+ file_obj = observable.file.File(value=file_attr["value"]).save()
+ exploit_obj.link_to(file_obj, "exploit", "file")
+
+ description = object_exploit.get_attributes_by_relation("description")
+
+ if description:
+ exploit_obj.description = description[0]["value"]
+
+ accessibility = object_exploit.get_attributes_by_relation("accessibility")
+ if accessibility:
+ exploit_obj.accessibility = accessibility[0]["value"]
+
+ software_attr = object_exploit.get_attributes_by_relation("software")
+ if software_attr:
+ exploit_obj.software = software_attr[0]["value"]
+
+ level_attr = object_exploit.get_attributes_by_relation("level")
+ if level_attr:
+ exploit_obj.level = level_attr[0]["value"]
+
+ reference_attr = object_exploit.get_attributes_by_relation("reference")
+ if reference_attr:
+ exploit_obj.reference = reference_attr[0]["value"]
+
+ cve_id = object_exploit.get_attributes_by_relation("cve-id")
+
+ if cve_id:
+ vulnerability = entity.Vulnerability(name=cve_id[0]["value"]).save()
+ exploit_obj.link_to(vulnerability, "exploit", "vulnerability") # type: ignore
+
+ context = {}
+
+ zero_day_today = object_exploit.get_attributes_by_relation("0day-today-id")
+ if zero_day_today:
+ context["0day-today-id"] = zero_day_today[0]["value"]
+
+ credit = object_exploit.get_attributes_by_relation("credit")
+ if credit:
+ context["credit"] = credit[0]["value"]
+
+ comment = object_exploit.get_attributes_by_relation("comment")
+ if comment:
+ context["comment"] = comment[0]["value"]
+
+ exploitdb_id = object_exploit.get_attributes_by_relation("exploitdb-id")
+
+ for index, exploit in enumerate(exploitdb_id):
+ context[f"exploitdb-id {index}"] = exploit["value"]
+ title = object_exploit.get_attributes_by_relation("title")
+ if title:
+ context["title"] = title[0]["value"]
From 11ffefbcbfa80814b4c5cabc91a1304bedbf9515 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 09:24:50 +0200
Subject: [PATCH 62/69] Update misp_event_objects.json
---
tests/misp_test_data/misp_event_objects.json | 2459 +++++++++++++++++-
1 file changed, 2458 insertions(+), 1 deletion(-)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index 9afb6adf0..3accad98f 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -2261,4 +2261,2461 @@
"EventReport": [],
"CryptographicKey": []
}
-}
\ No newline at end of file
+}{
+ "Event": {
+ "id": "114",
+ "orgc_id": "1",
+ "org_id": "1",
+ "date": "2024-03-01",
+ "threat_level_id": "1",
+ "info": "test for yeti",
+ "published": false,
+ "uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
+ "attribute_count": "95",
+ "analysis": "0",
+ "timestamp": "1711099001",
+ "distribution": "1",
+ "proposal_email_lock": false,
+ "locked": false,
+ "publish_timestamp": "0",
+ "sharing_group_id": "0",
+ "disable_correlation": false,
+ "extends_uuid": "",
+ "protected": null,
+ "event_creator_email": "sebdraven@protonmail.com",
+ "Org": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d",
+ "local": true
+ },
+ "Orgc": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d",
+ "local": true
+ },
+ "Attribute": [],
+ "ShadowAttribute": [],
+ "RelatedEvent": [
+ {
+ "Event": {
+ "id": "93",
+ "date": "2023-12-06",
+ "threat_level_id": "1",
+ "info": "Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers",
+ "published": false,
+ "uuid": "c9bc99a4-9207-4123-ac75-d02fd88a8138",
+ "analysis": "0",
+ "timestamp": "1701867257",
+ "distribution": "1",
+ "org_id": "1",
+ "orgc_id": "1",
+ "Org": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d"
+ },
+ "Orgc": {
+ "id": "1",
+ "name": "SCTIF",
+ "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d"
+ }
+ }
+ }
+ ],
+ "Galaxy": [
+ {
+ "id": "7",
+ "uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
+ "name": "Attack Pattern",
+ "type": "mitre-attack-pattern",
+ "description": "ATT&CK Tactic",
+ "version": "9",
+ "icon": "map",
+ "namespace": "mitre-attack",
+ "enabled": true,
+ "local_only": false,
+ "kill_chain_order": {
+ "mitre-attack": [
+ "reconnaissance",
+ "resource-development",
+ "initial-access",
+ "execution",
+ "persistence",
+ "privilege-escalation",
+ "defense-evasion",
+ "credential-access",
+ "discovery",
+ "lateral-movement",
+ "collection",
+ "command-and-control",
+ "exfiltration",
+ "impact"
+ ],
+ "mitre-mobile-attack": [
+ "initial-access",
+ "execution",
+ "persistence",
+ "privilege-escalation",
+ "defense-evasion",
+ "credential-access",
+ "discovery",
+ "lateral-movement",
+ "collection",
+ "command-and-control",
+ "exfiltration",
+ "impact",
+ "network-effects",
+ "remote-service-effects"
+ ],
+ "mitre-pre-attack": [
+ "priority-definition-planning",
+ "priority-definition-direction",
+ "target-selection",
+ "technical-information-gathering",
+ "people-information-gathering",
+ "organizational-information-gathering",
+ "technical-weakness-identification",
+ "people-weakness-identification",
+ "organizational-weakness-identification",
+ "adversary-opsec",
+ "establish-&-maintain-infrastructure",
+ "persona-development",
+ "build-capabilities",
+ "test-capabilities",
+ "stage-capabilities"
+ ]
+ },
+ "GalaxyCluster": [
+ {
+ "id": "47089",
+ "uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
+ "collection_uuid": "dcb864dc-775f-11e7-9fbb-1f41b4996683",
+ "type": "mitre-attack-pattern",
+ "value": "Application Shimming - T1138",
+ "tag_name": "misp-galaxy:mitre-attack-pattern=\"Application Shimming - T1138\"",
+ "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* <code>%WINDIR%\\AppPatch\\sysmain.sdb</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb</code>\n\nCustom databases are stored in:\n\n* <code>%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom</code>\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.",
+ "galaxy_id": "7",
+ "source": "https://github.com/mitre/cti",
+ "authors": [
+ "MITRE"
+ ],
+ "version": "27",
+ "distribution": "3",
+ "sharing_group_id": null,
+ "org_id": "0",
+ "orgc_id": "0",
+ "default": true,
+ "locked": false,
+ "extends_uuid": "",
+ "extends_version": "0",
+ "published": false,
+ "deleted": false,
+ "GalaxyClusterRelation": [
+ {
+ "id": "40367",
+ "galaxy_cluster_id": "47089",
+ "referenced_galaxy_cluster_id": "46984",
+ "referenced_galaxy_cluster_uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83",
+ "referenced_galaxy_cluster_type": "revoked-by",
+ "galaxy_cluster_uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
+ "distribution": "3",
+ "sharing_group_id": null,
+ "default": true
+ }
+ ],
+ "Org": {
+ "id": "0",
+ "name": "MISP",
+ "date_created": "",
+ "date_modified": "",
+ "description": "Automatically generated MISP organisation",
+ "type": "",
+ "nationality": "Not specified",
+ "sector": "",
+ "created_by": "0",
+ "uuid": "0",
+ "contacts": "",
+ "local": true,
+ "restricted_to_domain": [],
+ "landingpage": null
+ },
+ "Orgc": {
+ "id": "0",
+ "name": "MISP",
+ "date_created": "",
+ "date_modified": "",
+ "description": "Automatically generated MISP organisation",
+ "type": "",
+ "nationality": "Not specified",
+ "sector": "",
+ "created_by": "0",
+ "uuid": "0",
+ "contacts": "",
+ "local": true,
+ "restricted_to_domain": [],
+ "landingpage": null
+ },
+ "meta": {
+ "external_id": [
+ "T1138"
+ ],
+ "kill_chain": [
+ "mitre-attack:persistence",
+ "mitre-attack:privilege-escalation"
+ ],
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1138",
+ "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
+ "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+ ]
+ },
+ "tag_id": 449,
+ "event_tag_id": "204",
+ "local": false,
+ "relationship_type": false
+ }
+ ]
+ }
+ ],
+ "Object": [
+ {
+ "id": "1035",
+ "name": "c2-list",
+ "meta-category": "network",
+ "description": "List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis",
+ "template_uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785",
+ "template_version": "20230919",
+ "event_id": "114",
+ "uuid": "4017d4cc-284e-480e-9dc8-921dfc25f457",
+ "timestamp": "1709310117",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10620",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "7f017b41-13ba-4240-a449-3e6840739c26",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709308752",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "c2-ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10621",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "685a7a39-422c-4b70-a979-251c341d39e4",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709308752",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "c2-ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2.2.2.2",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10622",
+ "type": "text",
+ "category": "Attribution",
+ "to_ids": false,
+ "uuid": "b565cdc8-2bbc-4299-9f48-246aebf9172a",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709308752",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "threat",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "malware mechant",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10623",
+ "type": "ip-src|port",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "26a7ae6b-1a22-4331-8640-cbc90e5787d3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709310117",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1035",
+ "object_relation": "c2-ipport",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1|8888",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1036",
+ "name": "btc-wallet",
+ "meta-category": "financial",
+ "description": "An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.",
+ "template_uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4",
+ "template_version": "3",
+ "event_id": "114",
+ "uuid": "bd116941-502f-45b3-ac21-2d70d0c9a907",
+ "timestamp": "1709661209",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10624",
+ "type": "btc",
+ "category": "Financial fraud",
+ "to_ids": true,
+ "uuid": "49e5c32d-901c-404e-b80f-7a240be96ade",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709656629",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "wallet-address",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10625",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "fe6eac0d-2f7d-4642-bb71-7520e992b5ea",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709661209",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "BTC_received",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "0.5",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10626",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "33c7998b-16f5-41c1-ace4-b5ae8b1b618c",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709661209",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "BTC_sent",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "0.8",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10627",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "9232f198-c0fd-48f5-9391-4d26a18bff2f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709661209",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1036",
+ "object_relation": "balance_BTC",
+ "first_seen": "2024-03-03T00:00:00.000000+00:00",
+ "last_seen": "2024-03-13T00:00:00.000000+00:00",
+ "value": "1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1037",
+ "name": "av-signature",
+ "meta-category": "misc",
+ "description": "Antivirus detection signature",
+ "template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
+ "template_version": "1",
+ "event_id": "114",
+ "uuid": "2f2e5dea-0c4b-4e41-a15b-d428e3d841a3",
+ "timestamp": "1709663597",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10628",
+ "type": "text",
+ "category": "Antivirus detection",
+ "to_ids": false,
+ "uuid": "98143267-5fe9-48c2-8519-584a4c659034",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709663597",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1037",
+ "object_relation": "signature",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "malware_1872727",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10629",
+ "type": "text",
+ "category": "Antivirus detection",
+ "to_ids": false,
+ "uuid": "6bc5cba5-4484-499a-9e05-8f37fa671bde",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709663597",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1037",
+ "object_relation": "software",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Windows",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10630",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "a9c73a38-0f92-40ad-81fc-3f26bd4055b3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709663597",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1037",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Vilain malware",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1038",
+ "name": "command-line",
+ "meta-category": "misc",
+ "description": "Command line and options related to a specific command executed by a program, whether it is malicious or not.",
+ "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
+ "template_version": "1",
+ "event_id": "114",
+ "uuid": "06486300-27ed-47d6-94fd-b26261e68e6a",
+ "timestamp": "1709718740",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10631",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "e5603d5f-c32f-4609-99af-6863868c47ab",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709718740",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1038",
+ "object_relation": "description",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "mechant malware",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10632",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "7a9ac133-1592-4b50-bc52-d99d74184081",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709718740",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1038",
+ "object_relation": "value",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cmd.exe --mechant malware",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1039",
+ "name": "cookie",
+ "meta-category": "network",
+ "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser \u2014 keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.",
+ "template_uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",
+ "template_version": "6",
+ "event_id": "114",
+ "uuid": "449d6cd4-39cb-4cd5-96e2-655963900f87",
+ "timestamp": "1709720828",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10633",
+ "type": "cookie",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "3f74b060-02a8-49b3-b0bc-61596f787aca",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "cookie",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "MTA3NTg1NTM5Mg==",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10634",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "a865fa81-627e-4cea-a3f2-72fc2a51b266",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "cookie-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "MTA3NTg1NTM5Mg==",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10635",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "35f5eeb1-e7dd-420f-acaf-f9620d5ae29e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "cookie-value",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "MTA3NTg1NTM5Mg==",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10636",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "b29d314d-81ba-4123-8887-c5fa3497c65b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1039",
+ "object_relation": "expires",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-06-03T00:00:00.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10637",
+ "type": "boolean",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "e38c81cd-2333-4203-ba20-e00ac387992f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "http-only",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10638",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "0e2153cb-5374-4e6b-9aa1-511f1778f947",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1039",
+ "object_relation": "path",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "/test/path",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10639",
+ "type": "boolean",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "1a7394be-e699-4bd4-9f60-2e1fb1e8841b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1039",
+ "object_relation": "secure",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10640",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "55740096-fa6e-4221-a3ef-ca4fad63e378",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709720828",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1039",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Chinoxy Cookie",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1040",
+ "name": "crowdsec-ip-context",
+ "meta-category": "network",
+ "description": "CrowdSec Threat Intelligence - IP CTI search",
+ "template_uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f",
+ "template_version": "3",
+ "event_id": "114",
+ "uuid": "8d7293ee-6840-4bb4-ad28-b9ac8280d4e8",
+ "timestamp": "1709808045",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10641",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "d37e69f4-c220-4720-9e80-4c24299ff818",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "trust",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10642",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "8b13f982-eaf4-4cf7-8e8b-207e89453ecb",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10643",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "40a0d8b2-c1c2-452d-b9df-c026006d7cda",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "scores",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "10",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10644",
+ "type": "hostname",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "9f60442b-8584-453f-b008-53c4e806db89",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "reverse-dns",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "toto.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10645",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "5c8fce70-084b-492f-bd94-988472deba62",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "longitude",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10646",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "d489b90e-5263-41c0-baaa-4ed4e62ec55d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "latitude",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10647",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "36f12ed5-0a3e-4599-bdbb-276d49a77924",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "ip-range",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.0/24",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10648",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "942491a7-5f67-41e6-831b-bd1c5f69172d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "false-positives",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "NO",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10649",
+ "type": "port",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "a857a881-0538-4672-9fab-11257f93e034",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "dst-port",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "80",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10650",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "5a9ce51c-ab14-4fa3-8675-fe7050a6f858",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "country",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "France",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10651",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "1ee369e6-aa0d-45fc-a371-8d65f5bc0c02",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "classifications",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Malicious",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10652",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "ab28a6ee-8a07-419e-9c35-2fe0d6949e6c",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "city",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Paris",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10653",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "27312d85-8a27-458b-be82-36458f71b63a",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "behaviors",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Scan",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10654",
+ "type": "float",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "f5817800-c09c-44e6-ba29-766d6f373369",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1040",
+ "object_relation": "background-noise",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10655",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "2783d137-941d-4cc1-a704-fc3b18699814",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "attack-details",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Scan",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10656",
+ "type": "AS",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "fa2f5ede-b5f0-4865-a0e0-fa96ee150c99",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "as-num",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1234",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10657",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "55dd1fa8-5a4d-4bc5-a500-22309718d9be",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709807688",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "country-code",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "FR",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10658",
+ "type": "AS",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "b98acf92-8236-4e0e-b0f3-563be4708786",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709808045",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1040",
+ "object_relation": "as-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1234",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1041",
+ "name": "cs-beacon-config",
+ "meta-category": "file",
+ "description": "Cobalt Strike Beacon Config",
+ "template_uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
+ "template_version": "3",
+ "event_id": "114",
+ "uuid": "9b822b13-01b2-4ea8-bdc5-43ddf783daba",
+ "timestamp": "1709826473",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10659",
+ "type": "url",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "fd5e7d03-fef1-4022-a631-46f0b935747b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "c2",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "https://url.cs",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10660",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "57e19849-9f2b-4ebd-af85-e060a569ee25",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10661",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "d1df1e8e-4741-426c-8113-d5dd8446592f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "license-id",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1234567890",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10662",
+ "type": "md5",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "c7ee8e7b-4ff4-41ad-ab4b-472d63cc6d41",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "md5",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bc67462c4ee665dc75b59b41aa2855f2",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10663",
+ "type": "sha1",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "4286581d-c3e5-4a6e-9652-cb1f6bf90de3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "sha1",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "5a8584501da14a7830e2227dde846ec67ac7f64c",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10664",
+ "type": "sha256",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "c0fcfd8c-5c21-4c51-9944-0a3f88e1daa8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "sha256",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "32a0000b5dc0de6b7e55b661ef220e166007392b90ada97dd4ad3ef0bb265615",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10665",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "200187be-c799-4e09-9e68-6f3d00b18913",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1041",
+ "object_relation": "city",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Paris",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10666",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "944e171f-2a18-4c62-9736-eb680d91dffe",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1041",
+ "object_relation": "geo",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "France",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10667",
+ "type": "md5",
+ "category": "External analysis",
+ "to_ids": true,
+ "uuid": "26c806fc-ea00-488b-85db-177b597da8f8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "jar-md5",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bc67462c4ee665dc75b59b41aa2855f2",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10668",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "0ef44b85-39f5-47c3-9ca1-9f82a1201e2c",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1041",
+ "object_relation": "sector",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Education",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10669",
+ "type": "sha256",
+ "category": "External analysis",
+ "to_ids": true,
+ "uuid": "9e47882d-0819-4475-a1ce-1500c6ec87e3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "vt-sha256",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "32a0000b5dc0de6b7e55b661ef220e166007392b90ada97dd4ad3ef0bb265615",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10670",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "f52a2602-ec55-4fc0-a4a1-387f01881dd2",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709826473",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1041",
+ "object_relation": "watermark",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "ZERTYUIOPLKJH",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1042",
+ "name": "domain-ip",
+ "meta-category": "network",
+ "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
+ "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
+ "template_version": "11",
+ "event_id": "114",
+ "uuid": "896cdc82-64d5-4334-bc9c-31aa85dc55d1",
+ "timestamp": "1709911414",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10671",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "62705eaa-b158-4bed-bdef-a25e11c07f12",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "domain",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10672",
+ "type": "hostname",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "48fbc23b-85cc-485d-90e3-00fcbf63a8a6",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "hostname",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "dns.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10673",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "6df0bd65-edc7-4a40-a2d9-54ae6aa35fdf",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "8.8.8.8",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10674",
+ "type": "port",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "878a65e8-f870-484a-9fb1-36cb484707d8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1042",
+ "object_relation": "port",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "53",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10675",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "6e939061-b00c-410e-82d8-295fb5f1b9db",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709911415",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1042",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "dns google",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1043",
+ "name": "dns-record",
+ "meta-category": "network",
+ "description": "A set of DNS records observed for a specific domain.",
+ "template_uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9",
+ "template_version": "2",
+ "event_id": "114",
+ "uuid": "17f7b3f3-640f-403f-8e02-533157a9dd74",
+ "timestamp": "1709914685",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10676",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "d969a4ce-1ea5-44d4-808f-5178a3acca24",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "a-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "8.8.8.8",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10677",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "978fa705-0408-49c2-8b29-a6c3e3fad348",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "aaaa-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "fe80::dc23:da6a:903a:199a",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10678",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "37221d25-317c-4e16-a051-a74420183def",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "cname-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cname.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10679",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "87dc197d-778c-4dae-9f8c-a6c8620e0a4b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "mx-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "mx.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10680",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "9bfd69fd-65ae-46da-8658-6707a4c61a73",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "ns-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "ns.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10681",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "6a65f02b-aa44-4ede-9bb6-2c4627d4683d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "ptr-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "ptr.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10682",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "5dc15655-ef0c-4ecf-93fe-4907229dde2d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "queried-domain",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10683",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "90ec68a2-bc84-42dd-998d-a531193c4f6b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "soa-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "soa.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10684",
+ "type": "ip-dst",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "aee5db87-93bc-4ab9-aae2-dccf8030b025",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "spf-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10685",
+ "type": "domain",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "d0d4ecfe-df45-4800-8e2b-8a846c797633",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "srv-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "svr.google.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10686",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "7e4f909f-76fa-4b88-8dca-350cc19d4ddc",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "text",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "test google",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10687",
+ "type": "text",
+ "category": "Network activity",
+ "to_ids": false,
+ "uuid": "b5c51e3c-21a6-4a0e-8ca4-9f11d2c24105",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1709914685",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1043",
+ "object_relation": "txt-record",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "maliciouuuuuuuus",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1044",
+ "name": "directory",
+ "meta-category": "file",
+ "description": "Directory object describing a directory with meta-information",
+ "template_uuid": "23ac6a02-1017-4ea6-a4df-148ed563988d",
+ "template_version": "1",
+ "event_id": "114",
+ "uuid": "ec79de9c-f711-4883-ac62-e2a46637a0fd",
+ "timestamp": "1710167623",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10688",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "125fb030-6e34-439c-a335-eb894b315fb1",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1044",
+ "object_relation": "path",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "/var/lib/mechant",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10689",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "8db2f816-950d-4848-bc63-8ee5cda387c1",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1044",
+ "object_relation": "access-time",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-11T14:32:39.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10690",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "1e757cae-d0b0-478f-96ab-058b8a75e82d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1044",
+ "object_relation": "creation-time",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-11T14:32:39.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10691",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "769bcd9e-738c-4c8b-92a1-c48ade6009a3",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1044",
+ "object_relation": "modification-time",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-11T14:32:39.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10692",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "9f98c812-a9c2-4b49-b139-ef301037138b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710167623",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1044",
+ "object_relation": "path-encoding",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "BRF",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ },
+ {
+ "id": "1045",
+ "name": "email",
+ "meta-category": "network",
+ "description": "Email object describing an email with meta-information",
+ "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
+ "template_version": "19",
+ "event_id": "114",
+ "uuid": "811b697d-e19d-4fe1-a396-1967c1c6f388",
+ "timestamp": "1710766708",
+ "distribution": "5",
+ "sharing_group_id": "0",
+ "comment": "",
+ "deleted": false,
+ "first_seen": null,
+ "last_seen": null,
+ "ObjectReference": [],
+ "Attribute": [
+ {
+ "id": "10694",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "af3a24c5-25d8-4696-9752-194ba8c64f9e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "reply-to-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "replay-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10695",
+ "type": "email-reply-to",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "655d763a-9512-4fa3-8ec3-6dced7de19f6",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "reply-to",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "reply@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10696",
+ "type": "email-subject",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "54df3237-4668-4659-be80-c1473e8d2233",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "subject",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "subject test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10697",
+ "type": "email-dst",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "4b772548-d324-4f14-8ffa-76350deb37a8",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "bcc",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bbc@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10698",
+ "type": "email-dst",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "269ee214-63f1-4ffb-8c11-6a74a8ffb18e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "to",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "to@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10699",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "2cd432b5-7326-414f-8cd4-55b4d3efdd62",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "to-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "to-display-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10700",
+ "type": "domain",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "7580354c-82e4-4613-a2f0-04c35f032e54",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "from-domain",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "from.test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10701",
+ "type": "email-src-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "9f5d7efc-c73b-42f0-9d76-bb2136398c32",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "from-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "from-display-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10702",
+ "type": "email-src",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "d927fddc-884d-4d2d-81b6-eb9a6a8c406d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "from",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "from@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10703",
+ "type": "email-body",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "0fba1948-13a1-4001-8ab3-d001af7aef9e",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "email-body",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "blablablaba",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10704",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "40589ccd-a3cb-4a3e-a90e-adf53e10c9f1",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "cc-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cc-display-test",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10705",
+ "type": "email-dst",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "bc79c5fe-2a44-496c-8e4b-d2d368a30947",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "cc",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "cc@test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10706",
+ "type": "email-dst-display-name",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "f1135dd9-5a0b-402b-802f-b2089b7c0014",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "bcc-display-name",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "bcc-display-name",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10707",
+ "type": "text",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "fa53a562-feb8-4d24-ad41-e2289d8cb238",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "user-agent",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10708",
+ "type": "email-thread-index",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "c4e5f653-77a5-421a-acb6-532d6c054d1b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "thread-index",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1235",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10709",
+ "type": "datetime",
+ "category": "Other",
+ "to_ids": false,
+ "uuid": "72a78538-3663-4420-bbf5-7cdd17fdc13f",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "send-date",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "2024-03-18T00:00:00.000000+0000",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10710",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "8dc24960-2f20-4970-9732-f4216fad2328",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "received-header-ip",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10711",
+ "type": "hostname",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "36ac2aa4-6b14-41ec-bbf6-4626839e734d",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "received-header-hostname",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "received.test.com",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10712",
+ "type": "email-message-id",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "b2b8e0b3-7050-4371-a218-d00b6aad4d26",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "message-id",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1235",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10713",
+ "type": "ip-src",
+ "category": "Network activity",
+ "to_ids": true,
+ "uuid": "cf825b17-9c0c-4e4d-ac22-a47fdec5d79b",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "ip-src",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1.1.1.1",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10714",
+ "type": "email-header",
+ "category": "Payload delivery",
+ "to_ids": false,
+ "uuid": "209dbd9b-0bb9-408c-9850-a1f5a721cdc5",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710748448",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": true,
+ "object_id": "1045",
+ "object_relation": "header",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "test header",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ },
+ {
+ "id": "10715",
+ "type": "email-attachment",
+ "category": "Payload delivery",
+ "to_ids": true,
+ "uuid": "f9dc2ffe-4176-4482-9f7c-fb31b5655a24",
+ "event_id": "114",
+ "distribution": "5",
+ "timestamp": "1710766708",
+ "comment": "",
+ "sharing_group_id": "0",
+ "deleted": false,
+ "disable_correlation": false,
+ "object_id": "1045",
+ "object_relation": "attachment",
+ "first_seen": null,
+ "last_seen": null,
+ "value": "1235478",
+ "Galaxy": [],
+ "ShadowAttribute": []
+ }
+ ]
+ }
+ ],
+ "EventReport": [],
+ "CryptographicKey": [],
+ "Tag": [
+ {
+ "id": "449",
+ "name": "misp-galaxy:mitre-attack-pattern=\"Application Shimming - T1138\"",
+ "colour": "#0088cc",
+ "exportable": true,
+ "user_id": "0",
+ "hide_tag": false,
+ "numerical_value": null,
+ "is_galaxy": true,
+ "is_custom_galaxy": false,
+ "local_only": false,
+ "local": 0,
+ "relationship_type": null
+ }
+ ]
+ }
+}
From d8a9b7f78eaa447b77b0ec8117aa3f1ed9c57bde Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 09:53:30 +0200
Subject: [PATCH 63/69] Update poetry.lock
---
poetry.lock | 268 ++++++++++++++++++++++++++--------------------------
1 file changed, 135 insertions(+), 133 deletions(-)
diff --git a/poetry.lock b/poetry.lock
index 47e24c0b3..a68ac31d3 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,14 +1,14 @@
-# This file is automatically @generated by Poetry 1.8.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
[[package]]
name = "altair"
-version = "5.2.0"
+version = "5.3.0"
description = "Vega-Altair: A declarative statistical visualization library for Python."
optional = false
python-versions = ">=3.8"
files = [
- {file = "altair-5.2.0-py3-none-any.whl", hash = "sha256:8c4888ad11db7c39f3f17aa7f4ea985775da389d79ac30a6c22856ab238df399"},
- {file = "altair-5.2.0.tar.gz", hash = "sha256:2ad7f0c8010ebbc46319cc30febfb8e59ccf84969a201541c207bc3a4fa6cf81"},
+ {file = "altair-5.3.0-py3-none-any.whl", hash = "sha256:7084a1dab4d83c5e7e5246b92dc1b4451a6c68fd057f3716ee9d315c8980e59a"},
+ {file = "altair-5.3.0.tar.gz", hash = "sha256:5a268b1a0983b23d8f9129f819f956174aa7aea2719ed55a52eba9979b9f6675"},
]
[package.dependencies]
@@ -21,7 +21,8 @@ toolz = "*"
typing-extensions = {version = ">=4.0.1", markers = "python_version < \"3.11\""}
[package.extras]
-dev = ["anywidget", "geopandas", "hatch", "ipython", "m2r", "mypy", "pandas-stubs", "pyarrow (>=11)", "pytest", "pytest-cov", "ruff (>=0.1.3)", "types-jsonschema", "types-setuptools", "vega-datasets", "vegafusion[embed] (>=1.4.0)", "vl-convert-python (>=1.1.0)"]
+all = ["altair-tiles (>=0.3.0)", "anywidget (>=0.9.0)", "pyarrow (>=11)", "vega-datasets (>=0.9.0)", "vegafusion[embed] (>=1.6.6)", "vl-convert-python (>=1.3.0)"]
+dev = ["geopandas", "hatch", "ipython", "m2r", "mypy", "pandas-stubs", "pytest", "pytest-cov", "ruff (>=0.3.0)", "types-jsonschema", "types-setuptools"]
doc = ["docutils", "jinja2", "myst-parser", "numpydoc", "pillow (>=9,<10)", "pydata-sphinx-theme (>=0.14.1)", "scipy", "sphinx", "sphinx-copybutton", "sphinx-design", "sphinxext-altair"]
[[package]]
@@ -73,13 +74,13 @@ trio = ["trio (>=0.23)"]
[[package]]
name = "argcomplete"
-version = "3.2.2"
+version = "3.2.3"
description = "Bash tab completion for argparse"
optional = false
python-versions = ">=3.8"
files = [
- {file = "argcomplete-3.2.2-py3-none-any.whl", hash = "sha256:e44f4e7985883ab3e73a103ef0acd27299dbfe2dfed00142c35d4ddd3005901d"},
- {file = "argcomplete-3.2.2.tar.gz", hash = "sha256:f3e49e8ea59b4026ee29548e24488af46e30c9de57d48638e24f54a1ea1000a2"},
+ {file = "argcomplete-3.2.3-py3-none-any.whl", hash = "sha256:c12355e0494c76a2a7b73e3a59b09024ca0ba1e279fb9ed6c1b82d5b74b6a70c"},
+ {file = "argcomplete-3.2.3.tar.gz", hash = "sha256:bf7900329262e481be5a15f56f19736b376df6f82ed27576fa893652c5de6c23"},
]
[package.extras]
@@ -87,7 +88,7 @@ test = ["coverage", "mypy", "pexpect", "ruff", "wheel"]
[[package]]
name = "artifacts"
-version = "20240303"
+version = "20240401"
description = "ForensicArtifacts.com Artifact Repository."
optional = false
python-versions = ">=3.8"
@@ -98,7 +99,7 @@ develop = false
type = "git"
url = "https://github.com/forensicartifacts/artifacts.git"
reference = "main"
-resolved_reference = "b2757454ff039b525a1e98a4e09c421fb634b43a"
+resolved_reference = "be86a49309750fd000ea2433be8d2d7128fd58c8"
[[package]]
name = "astroid"
@@ -314,13 +315,13 @@ zstd = ["zstandard (==0.22.0)"]
[[package]]
name = "censys"
-version = "2.2.11"
+version = "2.2.12"
description = "An easy-to-use and lightweight API wrapper for Censys APIs (censys.io)."
optional = false
-python-versions = ">=3.8,<4.0"
+python-versions = "<4.0,>=3.8"
files = [
- {file = "censys-2.2.11-py3-none-any.whl", hash = "sha256:5f924e8fd46bda1f6fd4ce9ff60e24857657c1a33bbcfd903fe6a73147d1ab0e"},
- {file = "censys-2.2.11.tar.gz", hash = "sha256:d4e161e3085800c0f9b6ff6cc035a7727ff525135cdde62ff01e32eb371c5773"},
+ {file = "censys-2.2.12-py3-none-any.whl", hash = "sha256:ef1b27c915c021ad1f1e492b0deb169b119e88eb3a48fc115d1e20912bc6d932"},
+ {file = "censys-2.2.12.tar.gz", hash = "sha256:da75c2e37f064b9ffd579650217cb8d3f129048949f997acee31a0cb34b6e0dd"},
]
[package.dependencies]
@@ -520,13 +521,13 @@ colorama = {version = "*", markers = "platform_system == \"Windows\""}
[[package]]
name = "click-didyoumean"
-version = "0.3.0"
+version = "0.3.1"
description = "Enables git-like *did-you-mean* feature in click"
optional = false
-python-versions = ">=3.6.2,<4.0.0"
+python-versions = ">=3.6.2"
files = [
- {file = "click-didyoumean-0.3.0.tar.gz", hash = "sha256:f184f0d851d96b6d29297354ed981b7dd71df7ff500d82fa6d11f0856bee8035"},
- {file = "click_didyoumean-0.3.0-py3-none-any.whl", hash = "sha256:a0713dc7a1de3f06bc0df5a9567ad19ead2d3d5689b434768a6145bff77c0667"},
+ {file = "click_didyoumean-0.3.1-py3-none-any.whl", hash = "sha256:5c4bb6007cfea5f2fd6583a2fb6701a22a41eb98957e63d0fac41c10e7c3117c"},
+ {file = "click_didyoumean-0.3.1.tar.gz", hash = "sha256:4f82fdff0dbe64ef8ab2279bd6aa3f6a99c3b28c05aa09cbfc07c9d7fbb5a463"},
]
[package.dependencies]
@@ -748,18 +749,18 @@ all = ["email-validator (>=2.0.0)", "httpx (>=0.23.0)", "itsdangerous (>=1.1.0)"
[[package]]
name = "filelock"
-version = "3.13.1"
+version = "3.13.3"
description = "A platform independent file lock."
optional = false
python-versions = ">=3.8"
files = [
- {file = "filelock-3.13.1-py3-none-any.whl", hash = "sha256:57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c"},
- {file = "filelock-3.13.1.tar.gz", hash = "sha256:521f5f56c50f8426f5e03ad3b281b490a87ef15bc6c526f168290f0c7148d44e"},
+ {file = "filelock-3.13.3-py3-none-any.whl", hash = "sha256:5ffa845303983e7a0b7ae17636509bc97997d58afeafa72fb141a17b152284cb"},
+ {file = "filelock-3.13.3.tar.gz", hash = "sha256:a79895a25bbefdf55d1a2a0a80968f7dbb28edcd6d4234a0afb3f37ecde4b546"},
]
[package.extras]
-docs = ["furo (>=2023.9.10)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.24)"]
-testing = ["covdefaults (>=2.3)", "coverage (>=7.3.2)", "diff-cover (>=8)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)", "pytest-timeout (>=2.2)"]
+docs = ["furo (>=2023.9.10)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"]
+testing = ["covdefaults (>=2.3)", "coverage (>=7.3.2)", "diff-cover (>=8.0.1)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)", "pytest-timeout (>=2.2)"]
typing = ["typing-extensions (>=4.8)"]
[[package]]
@@ -775,13 +776,13 @@ files = [
[[package]]
name = "google-auth"
-version = "2.28.1"
+version = "2.29.0"
description = "Google Authentication Library"
optional = false
python-versions = ">=3.7"
files = [
- {file = "google-auth-2.28.1.tar.gz", hash = "sha256:34fc3046c257cedcf1622fc4b31fc2be7923d9b4d44973d481125ecc50d83885"},
- {file = "google_auth-2.28.1-py2.py3-none-any.whl", hash = "sha256:25141e2d7a14bfcba945f5e9827f98092716e99482562f15306e5b026e21aa72"},
+ {file = "google-auth-2.29.0.tar.gz", hash = "sha256:672dff332d073227550ffc7457868ac4218d6c500b155fe6cc17d2b13602c360"},
+ {file = "google_auth-2.29.0-py2.py3-none-any.whl", hash = "sha256:d452ad095688cd52bae0ad6fafe027f6a6d6f560e810fec20914e17a09526415"},
]
[package.dependencies]
@@ -882,22 +883,22 @@ files = [
[[package]]
name = "importlib-metadata"
-version = "7.0.1"
+version = "7.1.0"
description = "Read metadata from Python packages"
optional = false
python-versions = ">=3.8"
files = [
- {file = "importlib_metadata-7.0.1-py3-none-any.whl", hash = "sha256:4805911c3a4ec7c3966410053e9ec6a1fecd629117df5adee56dfc9432a1081e"},
- {file = "importlib_metadata-7.0.1.tar.gz", hash = "sha256:f238736bb06590ae52ac1fab06a3a9ef1d8dce2b7a35b5ab329371d6c8f5d2cc"},
+ {file = "importlib_metadata-7.1.0-py3-none-any.whl", hash = "sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570"},
+ {file = "importlib_metadata-7.1.0.tar.gz", hash = "sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2"},
]
[package.dependencies]
zipp = ">=0.5"
[package.extras]
-docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-lint"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"]
perf = ["ipython"]
-testing = ["flufl.flake8", "importlib-resources (>=1.3)", "packaging", "pyfakefs", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy (>=0.9.1)", "pytest-perf (>=0.9.2)", "pytest-ruff"]
+testing = ["flufl.flake8", "importlib-resources (>=1.3)", "jaraco.test (>=5.4)", "packaging", "pyfakefs", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy", "pytest-perf (>=0.9.2)", "pytest-ruff (>=0.2.1)"]
[[package]]
name = "ipwhois"
@@ -992,13 +993,13 @@ referencing = ">=0.31.0"
[[package]]
name = "kombu"
-version = "5.3.5"
+version = "5.3.6"
description = "Messaging library for Python."
optional = false
python-versions = ">=3.8"
files = [
- {file = "kombu-5.3.5-py3-none-any.whl", hash = "sha256:0eac1bbb464afe6fb0924b21bf79460416d25d8abc52546d4f16cad94f789488"},
- {file = "kombu-5.3.5.tar.gz", hash = "sha256:30e470f1a6b49c70dc6f6d13c3e4cc4e178aa6c469ceb6bcd55645385fc84b93"},
+ {file = "kombu-5.3.6-py3-none-any.whl", hash = "sha256:49f1e62b12369045de2662f62cc584e7df83481a513db83b01f87b5b9785e378"},
+ {file = "kombu-5.3.6.tar.gz", hash = "sha256:f3da5b570a147a5da8280180aa80b03807283d63ea5081fcdb510d18242431d9"},
]
[package.dependencies]
@@ -1015,7 +1016,7 @@ mongodb = ["pymongo (>=4.1.1)"]
msgpack = ["msgpack"]
pyro = ["pyro4"]
qpid = ["qpid-python (>=0.26)", "qpid-tools (>=0.26)"]
-redis = ["redis (>=4.5.2,!=4.5.5,<6.0.0)"]
+redis = ["redis (>=4.5.2,!=4.5.5,!=5.0.2)"]
slmq = ["softlayer-messaging (>=1.0.3)"]
sqlalchemy = ["sqlalchemy (>=1.4.48,<2.1)"]
sqs = ["boto3 (>=1.26.143)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
@@ -1203,38 +1204,38 @@ files = [
[[package]]
name = "mypy"
-version = "1.8.0"
+version = "1.9.0"
description = "Optional static typing for Python"
optional = false
python-versions = ">=3.8"
files = [
- {file = "mypy-1.8.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:485a8942f671120f76afffff70f259e1cd0f0cfe08f81c05d8816d958d4577d3"},
- {file = "mypy-1.8.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:df9824ac11deaf007443e7ed2a4a26bebff98d2bc43c6da21b2b64185da011c4"},
- {file = "mypy-1.8.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2afecd6354bbfb6e0160f4e4ad9ba6e4e003b767dd80d85516e71f2e955ab50d"},
- {file = "mypy-1.8.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:8963b83d53ee733a6e4196954502b33567ad07dfd74851f32be18eb932fb1cb9"},
- {file = "mypy-1.8.0-cp310-cp310-win_amd64.whl", hash = "sha256:e46f44b54ebddbeedbd3d5b289a893219065ef805d95094d16a0af6630f5d410"},
- {file = "mypy-1.8.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:855fe27b80375e5c5878492f0729540db47b186509c98dae341254c8f45f42ae"},
- {file = "mypy-1.8.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4c886c6cce2d070bd7df4ec4a05a13ee20c0aa60cb587e8d1265b6c03cf91da3"},
- {file = "mypy-1.8.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d19c413b3c07cbecf1f991e2221746b0d2a9410b59cb3f4fb9557f0365a1a817"},
- {file = "mypy-1.8.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:9261ed810972061388918c83c3f5cd46079d875026ba97380f3e3978a72f503d"},
- {file = "mypy-1.8.0-cp311-cp311-win_amd64.whl", hash = "sha256:51720c776d148bad2372ca21ca29256ed483aa9a4cdefefcef49006dff2a6835"},
- {file = "mypy-1.8.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:52825b01f5c4c1c4eb0db253ec09c7aa17e1a7304d247c48b6f3599ef40db8bd"},
- {file = "mypy-1.8.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:f5ac9a4eeb1ec0f1ccdc6f326bcdb464de5f80eb07fb38b5ddd7b0de6bc61e55"},
- {file = "mypy-1.8.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:afe3fe972c645b4632c563d3f3eff1cdca2fa058f730df2b93a35e3b0c538218"},
- {file = "mypy-1.8.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:42c6680d256ab35637ef88891c6bd02514ccb7e1122133ac96055ff458f93fc3"},
- {file = "mypy-1.8.0-cp312-cp312-win_amd64.whl", hash = "sha256:720a5ca70e136b675af3af63db533c1c8c9181314d207568bbe79051f122669e"},
- {file = "mypy-1.8.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:028cf9f2cae89e202d7b6593cd98db6759379f17a319b5faf4f9978d7084cdc6"},
- {file = "mypy-1.8.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:4e6d97288757e1ddba10dd9549ac27982e3e74a49d8d0179fc14d4365c7add66"},
- {file = "mypy-1.8.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f1478736fcebb90f97e40aff11a5f253af890c845ee0c850fe80aa060a267c6"},
- {file = "mypy-1.8.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:42419861b43e6962a649068a61f4a4839205a3ef525b858377a960b9e2de6e0d"},
- {file = "mypy-1.8.0-cp38-cp38-win_amd64.whl", hash = "sha256:2b5b6c721bd4aabaadead3a5e6fa85c11c6c795e0c81a7215776ef8afc66de02"},
- {file = "mypy-1.8.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5c1538c38584029352878a0466f03a8ee7547d7bd9f641f57a0f3017a7c905b8"},
- {file = "mypy-1.8.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4ef4be7baf08a203170f29e89d79064463b7fc7a0908b9d0d5114e8009c3a259"},
- {file = "mypy-1.8.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7178def594014aa6c35a8ff411cf37d682f428b3b5617ca79029d8ae72f5402b"},
- {file = "mypy-1.8.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ab3c84fa13c04aeeeabb2a7f67a25ef5d77ac9d6486ff33ded762ef353aa5592"},
- {file = "mypy-1.8.0-cp39-cp39-win_amd64.whl", hash = "sha256:99b00bc72855812a60d253420d8a2eae839b0afa4938f09f4d2aa9bb4654263a"},
- {file = "mypy-1.8.0-py3-none-any.whl", hash = "sha256:538fd81bb5e430cc1381a443971c0475582ff9f434c16cd46d2c66763ce85d9d"},
- {file = "mypy-1.8.0.tar.gz", hash = "sha256:6ff8b244d7085a0b425b56d327b480c3b29cafbd2eff27316a004f9a7391ae07"},
+ {file = "mypy-1.9.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f8a67616990062232ee4c3952f41c779afac41405806042a8126fe96e098419f"},
+ {file = "mypy-1.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d357423fa57a489e8c47b7c85dfb96698caba13d66e086b412298a1a0ea3b0ed"},
+ {file = "mypy-1.9.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:49c87c15aed320de9b438ae7b00c1ac91cd393c1b854c2ce538e2a72d55df150"},
+ {file = "mypy-1.9.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:48533cdd345c3c2e5ef48ba3b0d3880b257b423e7995dada04248725c6f77374"},
+ {file = "mypy-1.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:4d3dbd346cfec7cb98e6cbb6e0f3c23618af826316188d587d1c1bc34f0ede03"},
+ {file = "mypy-1.9.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:653265f9a2784db65bfca694d1edd23093ce49740b2244cde583aeb134c008f3"},
+ {file = "mypy-1.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3a3c007ff3ee90f69cf0a15cbcdf0995749569b86b6d2f327af01fd1b8aee9dc"},
+ {file = "mypy-1.9.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2418488264eb41f69cc64a69a745fad4a8f86649af4b1041a4c64ee61fc61129"},
+ {file = "mypy-1.9.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:68edad3dc7d70f2f17ae4c6c1b9471a56138ca22722487eebacfd1eb5321d612"},
+ {file = "mypy-1.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:85ca5fcc24f0b4aeedc1d02f93707bccc04733f21d41c88334c5482219b1ccb3"},
+ {file = "mypy-1.9.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aceb1db093b04db5cd390821464504111b8ec3e351eb85afd1433490163d60cd"},
+ {file = "mypy-1.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:0235391f1c6f6ce487b23b9dbd1327b4ec33bb93934aa986efe8a9563d9349e6"},
+ {file = "mypy-1.9.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d4d5ddc13421ba3e2e082a6c2d74c2ddb3979c39b582dacd53dd5d9431237185"},
+ {file = "mypy-1.9.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:190da1ee69b427d7efa8aa0d5e5ccd67a4fb04038c380237a0d96829cb157913"},
+ {file = "mypy-1.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:fe28657de3bfec596bbeef01cb219833ad9d38dd5393fc649f4b366840baefe6"},
+ {file = "mypy-1.9.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:e54396d70be04b34f31d2edf3362c1edd023246c82f1730bbf8768c28db5361b"},
+ {file = "mypy-1.9.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:5e6061f44f2313b94f920e91b204ec600982961e07a17e0f6cd83371cb23f5c2"},
+ {file = "mypy-1.9.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:81a10926e5473c5fc3da8abb04119a1f5811a236dc3a38d92015cb1e6ba4cb9e"},
+ {file = "mypy-1.9.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:b685154e22e4e9199fc95f298661deea28aaede5ae16ccc8cbb1045e716b3e04"},
+ {file = "mypy-1.9.0-cp38-cp38-win_amd64.whl", hash = "sha256:5d741d3fc7c4da608764073089e5f58ef6352bedc223ff58f2f038c2c4698a89"},
+ {file = "mypy-1.9.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:587ce887f75dd9700252a3abbc9c97bbe165a4a630597845c61279cf32dfbf02"},
+ {file = "mypy-1.9.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f88566144752999351725ac623471661c9d1cd8caa0134ff98cceeea181789f4"},
+ {file = "mypy-1.9.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:61758fabd58ce4b0720ae1e2fea5cfd4431591d6d590b197775329264f86311d"},
+ {file = "mypy-1.9.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e49499be624dead83927e70c756970a0bc8240e9f769389cdf5714b0784ca6bf"},
+ {file = "mypy-1.9.0-cp39-cp39-win_amd64.whl", hash = "sha256:571741dc4194b4f82d344b15e8837e8c5fcc462d66d076748142327626a1b6e9"},
+ {file = "mypy-1.9.0-py3-none-any.whl", hash = "sha256:a260627a570559181a9ea5de61ac6297aa5af202f06fd7ab093ce74e7181e43e"},
+ {file = "mypy-1.9.0.tar.gz", hash = "sha256:3cc5da0127e6a478cddd906068496a97a7618a21ce9b54bde5bf7e539c7af974"},
]
[package.dependencies]
@@ -1356,13 +1357,13 @@ requests = "*"
[[package]]
name = "packaging"
-version = "23.2"
+version = "24.0"
description = "Core utilities for Python packages"
optional = false
python-versions = ">=3.7"
files = [
- {file = "packaging-23.2-py3-none-any.whl", hash = "sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7"},
- {file = "packaging-23.2.tar.gz", hash = "sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5"},
+ {file = "packaging-24.0-py3-none-any.whl", hash = "sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5"},
+ {file = "packaging-24.0.tar.gz", hash = "sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9"},
]
[[package]]
@@ -1502,13 +1503,13 @@ wcwidth = "*"
[[package]]
name = "publicsuffixlist"
-version = "0.10.0.20240305"
+version = "0.10.0.20240403"
description = "publicsuffixlist implement"
optional = false
python-versions = ">=2.6"
files = [
- {file = "publicsuffixlist-0.10.0.20240305-py2.py3-none-any.whl", hash = "sha256:f6869119f8781501c0c625e59b4b65eb60e2ed5185cfd6c142c792f74ac47c21"},
- {file = "publicsuffixlist-0.10.0.20240305.tar.gz", hash = "sha256:6e79ea73b0278ce1b102f3ad6815f2a5b683864da9948ba0b0eab3180c419f7f"},
+ {file = "publicsuffixlist-0.10.0.20240403-py2.py3-none-any.whl", hash = "sha256:a3c15de3f1c7ce49db23d354f24b664126e1f518f7986b653dc8a944a5ceeff1"},
+ {file = "publicsuffixlist-0.10.0.20240403.tar.gz", hash = "sha256:0d082382bdf9979237dc158b68e41352742916104c5d4074271e234176de0595"},
]
[package.extras]
@@ -1517,28 +1518,28 @@ update = ["requests"]
[[package]]
name = "pyasn1"
-version = "0.5.1"
+version = "0.6.0"
description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)"
optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7"
+python-versions = ">=3.8"
files = [
- {file = "pyasn1-0.5.1-py2.py3-none-any.whl", hash = "sha256:4439847c58d40b1d0a573d07e3856e95333f1976294494c325775aeca506eb58"},
- {file = "pyasn1-0.5.1.tar.gz", hash = "sha256:6d391a96e59b23130a5cfa74d6fd7f388dbbe26cc8f1edf39fdddf08d9d6676c"},
+ {file = "pyasn1-0.6.0-py2.py3-none-any.whl", hash = "sha256:cca4bb0f2df5504f02f6f8a775b6e416ff9b0b3b16f7ee80b5a3153d9b804473"},
+ {file = "pyasn1-0.6.0.tar.gz", hash = "sha256:3a35ab2c4b5ef98e17dfdec8ab074046fbda76e281c5a706ccd82328cfc8f64c"},
]
[[package]]
name = "pyasn1-modules"
-version = "0.3.0"
+version = "0.4.0"
description = "A collection of ASN.1-based protocols modules"
optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7"
+python-versions = ">=3.8"
files = [
- {file = "pyasn1_modules-0.3.0-py2.py3-none-any.whl", hash = "sha256:d3ccd6ed470d9ffbc716be08bd90efbd44d0734bc9303818f7336070984a162d"},
- {file = "pyasn1_modules-0.3.0.tar.gz", hash = "sha256:5bd01446b736eb9d31512a30d46c1ac3395d676c6f3cafa4c03eb54b9925631c"},
+ {file = "pyasn1_modules-0.4.0-py3-none-any.whl", hash = "sha256:be04f15b66c206eed667e0bb5ab27e2b1855ea54a842e5037738099e8ca4ae0b"},
+ {file = "pyasn1_modules-0.4.0.tar.gz", hash = "sha256:831dbcea1b177b28c9baddf4c6d1013c24c3accd14a1873fffaa6a2e905f17b6"},
]
[package.dependencies]
-pyasn1 = ">=0.4.6,<0.6.0"
+pyasn1 = ">=0.4.6,<0.7.0"
[[package]]
name = "pycountry"
@@ -1553,24 +1554,24 @@ files = [
[[package]]
name = "pycparser"
-version = "2.21"
+version = "2.22"
description = "C parser in Python"
optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+python-versions = ">=3.8"
files = [
- {file = "pycparser-2.21-py2.py3-none-any.whl", hash = "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9"},
- {file = "pycparser-2.21.tar.gz", hash = "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"},
+ {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"},
+ {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
]
[[package]]
name = "pydantic"
-version = "2.6.3"
+version = "2.6.4"
description = "Data validation using Python type hints"
optional = false
python-versions = ">=3.8"
files = [
- {file = "pydantic-2.6.3-py3-none-any.whl", hash = "sha256:72c6034df47f46ccdf81869fddb81aade68056003900a8724a4f160700016a2a"},
- {file = "pydantic-2.6.3.tar.gz", hash = "sha256:e07805c4c7f5c6826e33a1d4c9d47950d7eaf34868e2690f8594d2e30241f11f"},
+ {file = "pydantic-2.6.4-py3-none-any.whl", hash = "sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5"},
+ {file = "pydantic-2.6.4.tar.gz", hash = "sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6"},
]
[package.dependencies]
@@ -1734,19 +1735,19 @@ testutils = ["gitpython (>3)"]
[[package]]
name = "pymisp"
-version = "2.4.186"
+version = "2.4.188"
description = "Python API for MISP."
optional = false
-python-versions = ">=3.8,<4.0"
+python-versions = "<4.0,>=3.8"
files = [
- {file = "pymisp-2.4.186-py3-none-any.whl", hash = "sha256:bb8ae23d038848a86cf5d6a4c965dbed79e48cd6f671681b17f72410aecf07a0"},
- {file = "pymisp-2.4.186.tar.gz", hash = "sha256:bdf2d54b297ad890418179b044dd4ea79821fccef723823919d12262e9794ca3"},
+ {file = "pymisp-2.4.188-py3-none-any.whl", hash = "sha256:454746ee717841cd1a9425ec6cffdaf99de595d8672685e0a61b7a233659480a"},
+ {file = "pymisp-2.4.188.tar.gz", hash = "sha256:c2313d059a9f4d1221243fcda64fb8ae11603c1745e92d57c4071aad04336696"},
]
[package.dependencies]
deprecated = ">=1.2.14,<2.0.0"
publicsuffixlist = ">=0.10.0.20231214,<0.11.0.0"
-python-dateutil = ">=2.8.2,<3.0.0"
+python-dateutil = ">=2.9.0.post0,<3.0.0"
requests = ">=2.31.0,<3.0.0"
[package.extras]
@@ -1757,7 +1758,7 @@ fileobjects = ["lief (>=0.14.1,<0.15.0)", "pydeep2 (>=0.5.1,<0.6.0)", "python-ma
openioc = ["beautifulsoup4 (>=4.12.3,<5.0.0)"]
pdfexport = ["reportlab (>=4.1.0,<5.0.0)"]
url = ["pyfaup (>=1.2,<2.0)"]
-virustotal = ["validators (>=0.22.0,<0.23.0)"]
+virustotal = ["validators (>=0.23.0,<0.24.0)"]
[[package]]
name = "pyopenssl"
@@ -1923,17 +1924,17 @@ files = [
[[package]]
name = "redis"
-version = "5.0.2"
+version = "5.0.3"
description = "Python client for Redis database and key-value store"
optional = false
python-versions = ">=3.7"
files = [
- {file = "redis-5.0.2-py3-none-any.whl", hash = "sha256:4caa8e1fcb6f3c0ef28dba99535101d80934b7d4cd541bbb47f4a3826ee472d1"},
- {file = "redis-5.0.2.tar.gz", hash = "sha256:3f82cc80d350e93042c8e6e7a5d0596e4dd68715babffba79492733e1f367037"},
+ {file = "redis-5.0.3-py3-none-any.whl", hash = "sha256:5da9b8fe9e1254293756c16c008e8620b3d15fcc6dde6babde9541850e72a32d"},
+ {file = "redis-5.0.3.tar.gz", hash = "sha256:4973bae7444c0fbed64a06b87446f79361cb7e4ec1538c022d696ed7a5015580"},
]
[package.dependencies]
-async-timeout = ">=4.0.3"
+async-timeout = {version = ">=4.0.3", markers = "python_full_version < \"3.11.3\""}
[package.extras]
hiredis = ["hiredis (>=1.0.0)"]
@@ -1941,13 +1942,13 @@ ocsp = ["cryptography (>=36.0.1)", "pyopenssl (==20.0.1)", "requests (>=2.26.0)"
[[package]]
name = "referencing"
-version = "0.33.0"
+version = "0.34.0"
description = "JSON Referencing + Python"
optional = false
python-versions = ">=3.8"
files = [
- {file = "referencing-0.33.0-py3-none-any.whl", hash = "sha256:39240f2ecc770258f28b642dd47fd74bc8b02484de54e1882b74b35ebd779bd5"},
- {file = "referencing-0.33.0.tar.gz", hash = "sha256:c775fedf74bc0f9189c2a3be1c12fd03e8c23f4d371dce795df44e06c5b412f7"},
+ {file = "referencing-0.34.0-py3-none-any.whl", hash = "sha256:d53ae300ceddd3169f1ffa9caf2cb7b769e92657e4fafb23d34b93679116dfd4"},
+ {file = "referencing-0.34.0.tar.gz", hash = "sha256:5773bd84ef41799a5a8ca72dc34590c041eb01bf9aa02632b4a973fb0181a844"},
]
[package.dependencies]
@@ -2093,13 +2094,13 @@ requests = ">=1.0.0"
[[package]]
name = "requests-oauthlib"
-version = "1.3.1"
+version = "2.0.0"
description = "OAuthlib authentication support for Requests."
optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+python-versions = ">=3.4"
files = [
- {file = "requests-oauthlib-1.3.1.tar.gz", hash = "sha256:75beac4a47881eeb94d5ea5d6ad31ef88856affe2332b9aafb52c6452ccf0d7a"},
- {file = "requests_oauthlib-1.3.1-py2.py3-none-any.whl", hash = "sha256:2577c501a2fb8d05a304c09d090d6e47c306fef15809d102b327cf8364bddab5"},
+ {file = "requests-oauthlib-2.0.0.tar.gz", hash = "sha256:b3dffaebd884d8cd778494369603a9e7b58d29111bf6b41bdc2dcd87203af4e9"},
+ {file = "requests_oauthlib-2.0.0-py2.py3-none-any.whl", hash = "sha256:7dd8a5c40426b779b0868c404bdef9768deccf22749cde15852df527e6269b36"},
]
[package.dependencies]
@@ -2282,44 +2283,44 @@ pyasn1 = ">=0.1.3"
[[package]]
name = "ruff"
-version = "0.3.0"
+version = "0.3.5"
description = "An extremely fast Python linter and code formatter, written in Rust."
optional = false
python-versions = ">=3.7"
files = [
- {file = "ruff-0.3.0-py3-none-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", hash = "sha256:7deb528029bacf845bdbb3dbb2927d8ef9b4356a5e731b10eef171e3f0a85944"},
- {file = "ruff-0.3.0-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:e1e0d4381ca88fb2b73ea0766008e703f33f460295de658f5467f6f229658c19"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2f7dbba46e2827dfcb0f0cc55fba8e96ba7c8700e0a866eb8cef7d1d66c25dcb"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:23dbb808e2f1d68eeadd5f655485e235c102ac6f12ad31505804edced2a5ae77"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3ef655c51f41d5fa879f98e40c90072b567c666a7114fa2d9fe004dffba00932"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:d0d3d7ef3d4f06433d592e5f7d813314a34601e6c5be8481cccb7fa760aa243e"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b08b356d06a792e49a12074b62222f9d4ea2a11dca9da9f68163b28c71bf1dd4"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9343690f95710f8cf251bee1013bf43030072b9f8d012fbed6ad702ef70d360a"},
- {file = "ruff-0.3.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a1f3ed501a42f60f4dedb7805fa8d4534e78b4e196f536bac926f805f0743d49"},
- {file = "ruff-0.3.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:cc30a9053ff2f1ffb505a585797c23434d5f6c838bacfe206c0e6cf38c921a1e"},
- {file = "ruff-0.3.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:5da894a29ec018a8293d3d17c797e73b374773943e8369cfc50495573d396933"},
- {file = "ruff-0.3.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:755c22536d7f1889be25f2baf6fedd019d0c51d079e8417d4441159f3bcd30c2"},
- {file = "ruff-0.3.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:dd73fe7f4c28d317855da6a7bc4aa29a1500320818dd8f27df95f70a01b8171f"},
- {file = "ruff-0.3.0-py3-none-win32.whl", hash = "sha256:19eacceb4c9406f6c41af806418a26fdb23120dfe53583df76d1401c92b7c14b"},
- {file = "ruff-0.3.0-py3-none-win_amd64.whl", hash = "sha256:128265876c1d703e5f5e5a4543bd8be47c73a9ba223fd3989d4aa87dd06f312f"},
- {file = "ruff-0.3.0-py3-none-win_arm64.whl", hash = "sha256:e3a4a6d46aef0a84b74fcd201a4401ea9a6cd85614f6a9435f2d33dd8cefbf83"},
- {file = "ruff-0.3.0.tar.gz", hash = "sha256:0886184ba2618d815067cf43e005388967b67ab9c80df52b32ec1152ab49f53a"},
+ {file = "ruff-0.3.5-py3-none-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", hash = "sha256:aef5bd3b89e657007e1be6b16553c8813b221ff6d92c7526b7e0227450981eac"},
+ {file = "ruff-0.3.5-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:89b1e92b3bd9fca249153a97d23f29bed3992cff414b222fcd361d763fc53f12"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5e55771559c89272c3ebab23326dc23e7f813e492052391fe7950c1a5a139d89"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:dabc62195bf54b8a7876add6e789caae0268f34582333cda340497c886111c39"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3a05f3793ba25f194f395578579c546ca5d83e0195f992edc32e5907d142bfa3"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:dfd3504e881082959b4160ab02f7a205f0fadc0a9619cc481982b6837b2fd4c0"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:87258e0d4b04046cf1d6cc1c56fadbf7a880cc3de1f7294938e923234cf9e498"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:712e71283fc7d9f95047ed5f793bc019b0b0a29849b14664a60fd66c23b96da1"},
+ {file = "ruff-0.3.5-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a532a90b4a18d3f722c124c513ffb5e5eaff0cc4f6d3aa4bda38e691b8600c9f"},
+ {file = "ruff-0.3.5-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:122de171a147c76ada00f76df533b54676f6e321e61bd8656ae54be326c10296"},
+ {file = "ruff-0.3.5-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d80a6b18a6c3b6ed25b71b05eba183f37d9bc8b16ace9e3d700997f00b74660b"},
+ {file = "ruff-0.3.5-py3-none-musllinux_1_2_i686.whl", hash = "sha256:a7b6e63194c68bca8e71f81de30cfa6f58ff70393cf45aab4c20f158227d5936"},
+ {file = "ruff-0.3.5-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:a759d33a20c72f2dfa54dae6e85e1225b8e302e8ac655773aff22e542a300985"},
+ {file = "ruff-0.3.5-py3-none-win32.whl", hash = "sha256:9d8605aa990045517c911726d21293ef4baa64f87265896e491a05461cae078d"},
+ {file = "ruff-0.3.5-py3-none-win_amd64.whl", hash = "sha256:dc56bb16a63c1303bd47563c60482a1512721053d93231cf7e9e1c6954395a0e"},
+ {file = "ruff-0.3.5-py3-none-win_arm64.whl", hash = "sha256:faeeae9905446b975dcf6d4499dc93439b131f1443ee264055c5716dd947af55"},
+ {file = "ruff-0.3.5.tar.gz", hash = "sha256:a067daaeb1dc2baf9b82a32dae67d154d95212080c80435eb052d95da647763d"},
]
[[package]]
name = "setuptools"
-version = "69.1.1"
+version = "69.2.0"
description = "Easily download, build, install, upgrade, and uninstall Python packages"
optional = false
python-versions = ">=3.8"
files = [
- {file = "setuptools-69.1.1-py3-none-any.whl", hash = "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56"},
- {file = "setuptools-69.1.1.tar.gz", hash = "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"},
+ {file = "setuptools-69.2.0-py3-none-any.whl", hash = "sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c"},
+ {file = "setuptools-69.2.0.tar.gz", hash = "sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e"},
]
[package.extras]
docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "mypy (==1.9)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
[[package]]
@@ -2412,13 +2413,13 @@ requests = "*"
[[package]]
name = "tldextract"
-version = "5.1.1"
+version = "5.1.2"
description = "Accurately separates a URL's subdomain, domain, and public suffix, using the Public Suffix List (PSL). By default, this includes the public ICANN TLDs and their exceptions. You can optionally support the Public Suffix List's private domains as well."
optional = false
python-versions = ">=3.8"
files = [
- {file = "tldextract-5.1.1-py3-none-any.whl", hash = "sha256:b9c4510a8766d377033b6bace7e9f1f17a891383ced3c5d50c150f181e9e1cc2"},
- {file = "tldextract-5.1.1.tar.gz", hash = "sha256:9b6dbf803cb5636397f0203d48541c0da8ba53babaf0e8a6feda2d88746813d4"},
+ {file = "tldextract-5.1.2-py3-none-any.whl", hash = "sha256:4dfc4c277b6b97fa053899fcdb892d2dc27295851ab5fac4e07797b6a21b2e46"},
+ {file = "tldextract-5.1.2.tar.gz", hash = "sha256:c9e17f756f05afb5abac04fe8f766e7e70f9fe387adb1859f0f52408ee060200"},
]
[package.dependencies]
@@ -2428,7 +2429,8 @@ requests = ">=2.1.0"
requests-file = ">=1.4"
[package.extras]
-testing = ["black", "mypy", "pytest", "pytest-gitignore", "pytest-mock", "responses", "ruff", "tox", "types-filelock", "types-requests"]
+release = ["build", "twine"]
+testing = ["black", "mypy", "pytest", "pytest-gitignore", "pytest-mock", "responses", "ruff", "syrupy", "tox", "types-filelock", "types-requests"]
[[package]]
name = "tomli"
@@ -2674,18 +2676,18 @@ files = [
[[package]]
name = "zipp"
-version = "3.17.0"
+version = "3.18.1"
description = "Backport of pathlib-compatible object wrapper for zip files"
optional = false
python-versions = ">=3.8"
files = [
- {file = "zipp-3.17.0-py3-none-any.whl", hash = "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31"},
- {file = "zipp-3.17.0.tar.gz", hash = "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"},
+ {file = "zipp-3.18.1-py3-none-any.whl", hash = "sha256:206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b"},
+ {file = "zipp-3.18.1.tar.gz", hash = "sha256:2884ed22e7d8961de1c9a05142eb69a247f120291bc0206a00a7642f09b5b715"},
]
[package.extras]
-docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-lint"]
-testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy (>=0.9.1)", "pytest-ruff"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"]
+testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy", "pytest-ruff (>=0.2.1)"]
[metadata]
lock-version = "2.0"
From 2ae5d3d04464c9bc32da4af1408d784b7955e018 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 09:57:54 +0200
Subject: [PATCH 64/69] Update poetry.lock
---
poetry.lock | 421 +++++++++++++++++-----------------------------------
1 file changed, 133 insertions(+), 288 deletions(-)
diff --git a/poetry.lock b/poetry.lock
index 7a793851a..c4e9f5812 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -2,13 +2,13 @@
[[package]]
name = "altair"
-version = "5.3.0"
+version = "5.2.0"
description = "Vega-Altair: A declarative statistical visualization library for Python."
optional = false
python-versions = ">=3.8"
files = [
- {file = "altair-5.3.0-py3-none-any.whl", hash = "sha256:7084a1dab4d83c5e7e5246b92dc1b4451a6c68fd057f3716ee9d315c8980e59a"},
- {file = "altair-5.3.0.tar.gz", hash = "sha256:5a268b1a0983b23d8f9129f819f956174aa7aea2719ed55a52eba9979b9f6675"},
+ {file = "altair-5.2.0-py3-none-any.whl", hash = "sha256:8c4888ad11db7c39f3f17aa7f4ea985775da389d79ac30a6c22856ab238df399"},
+ {file = "altair-5.2.0.tar.gz", hash = "sha256:2ad7f0c8010ebbc46319cc30febfb8e59ccf84969a201541c207bc3a4fa6cf81"},
]
[package.dependencies]
@@ -21,8 +21,7 @@ toolz = "*"
typing-extensions = {version = ">=4.0.1", markers = "python_version < \"3.11\""}
[package.extras]
-all = ["altair-tiles (>=0.3.0)", "anywidget (>=0.9.0)", "pyarrow (>=11)", "vega-datasets (>=0.9.0)", "vegafusion[embed] (>=1.6.6)", "vl-convert-python (>=1.3.0)"]
-dev = ["geopandas", "hatch", "ipython", "m2r", "mypy", "pandas-stubs", "pytest", "pytest-cov", "ruff (>=0.3.0)", "types-jsonschema", "types-setuptools"]
+dev = ["anywidget", "geopandas", "hatch", "ipython", "m2r", "mypy", "pandas-stubs", "pyarrow (>=11)", "pytest", "pytest-cov", "ruff (>=0.1.3)", "types-jsonschema", "types-setuptools", "vega-datasets", "vegafusion[embed] (>=1.4.0)", "vl-convert-python (>=1.1.0)"]
doc = ["docutils", "jinja2", "myst-parser", "numpydoc", "pillow (>=9,<10)", "pydata-sphinx-theme (>=0.14.1)", "scipy", "sphinx", "sphinx-copybutton", "sphinx-design", "sphinxext-altair"]
[[package]]
@@ -74,13 +73,13 @@ trio = ["trio (>=0.23)"]
[[package]]
name = "argcomplete"
-version = "3.2.3"
+version = "3.2.2"
description = "Bash tab completion for argparse"
optional = false
python-versions = ">=3.8"
files = [
- {file = "argcomplete-3.2.3-py3-none-any.whl", hash = "sha256:c12355e0494c76a2a7b73e3a59b09024ca0ba1e279fb9ed6c1b82d5b74b6a70c"},
- {file = "argcomplete-3.2.3.tar.gz", hash = "sha256:bf7900329262e481be5a15f56f19736b376df6f82ed27576fa893652c5de6c23"},
+ {file = "argcomplete-3.2.2-py3-none-any.whl", hash = "sha256:e44f4e7985883ab3e73a103ef0acd27299dbfe2dfed00142c35d4ddd3005901d"},
+ {file = "argcomplete-3.2.2.tar.gz", hash = "sha256:f3e49e8ea59b4026ee29548e24488af46e30c9de57d48638e24f54a1ea1000a2"},
]
[package.extras]
@@ -88,7 +87,7 @@ test = ["coverage", "mypy", "pexpect", "ruff", "wheel"]
[[package]]
name = "artifacts"
-version = "20240401"
+version = "20240303"
description = "ForensicArtifacts.com Artifact Repository."
optional = false
python-versions = ">=3.8"
@@ -99,7 +98,7 @@ develop = false
type = "git"
url = "https://github.com/forensicartifacts/artifacts.git"
reference = "main"
-resolved_reference = "be86a49309750fd000ea2433be8d2d7128fd58c8"
+resolved_reference = "2449049ef7c3b2f06ed8dfab9862b8d168ce36db"
[[package]]
name = "astroid"
@@ -315,13 +314,13 @@ zstd = ["zstandard (==0.22.0)"]
[[package]]
name = "censys"
-version = "2.2.12"
+version = "2.2.11"
description = "An easy-to-use and lightweight API wrapper for Censys APIs (censys.io)."
optional = false
-python-versions = "<4.0,>=3.8"
+python-versions = ">=3.8,<4.0"
files = [
- {file = "censys-2.2.12-py3-none-any.whl", hash = "sha256:ef1b27c915c021ad1f1e492b0deb169b119e88eb3a48fc115d1e20912bc6d932"},
- {file = "censys-2.2.12.tar.gz", hash = "sha256:da75c2e37f064b9ffd579650217cb8d3f129048949f997acee31a0cb34b6e0dd"},
+ {file = "censys-2.2.11-py3-none-any.whl", hash = "sha256:5f924e8fd46bda1f6fd4ce9ff60e24857657c1a33bbcfd903fe6a73147d1ab0e"},
+ {file = "censys-2.2.11.tar.gz", hash = "sha256:d4e161e3085800c0f9b6ff6cc035a7727ff525135cdde62ff01e32eb371c5773"},
]
[package.dependencies]
@@ -521,13 +520,13 @@ colorama = {version = "*", markers = "platform_system == \"Windows\""}
[[package]]
name = "click-didyoumean"
-version = "0.3.1"
+version = "0.3.0"
description = "Enables git-like *did-you-mean* feature in click"
optional = false
-python-versions = ">=3.6.2"
+python-versions = ">=3.6.2,<4.0.0"
files = [
- {file = "click_didyoumean-0.3.1-py3-none-any.whl", hash = "sha256:5c4bb6007cfea5f2fd6583a2fb6701a22a41eb98957e63d0fac41c10e7c3117c"},
- {file = "click_didyoumean-0.3.1.tar.gz", hash = "sha256:4f82fdff0dbe64ef8ab2279bd6aa3f6a99c3b28c05aa09cbfc07c9d7fbb5a463"},
+ {file = "click-didyoumean-0.3.0.tar.gz", hash = "sha256:f184f0d851d96b6d29297354ed981b7dd71df7ff500d82fa6d11f0856bee8035"},
+ {file = "click_didyoumean-0.3.0-py3-none-any.whl", hash = "sha256:a0713dc7a1de3f06bc0df5a9567ad19ead2d3d5689b434768a6145bff77c0667"},
]
[package.dependencies]
@@ -624,28 +623,6 @@ ssh = ["bcrypt (>=3.1.5)"]
test = ["pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
test-randomorder = ["pytest-randomly"]
-[[package]]
-name = "dateparser"
-version = "1.2.0"
-description = "Date parsing library designed to parse dates from HTML pages"
-optional = false
-python-versions = ">=3.7"
-files = [
- {file = "dateparser-1.2.0-py2.py3-none-any.whl", hash = "sha256:0b21ad96534e562920a0083e97fd45fa959882d4162acc358705144520a35830"},
- {file = "dateparser-1.2.0.tar.gz", hash = "sha256:7975b43a4222283e0ae15be7b4999d08c9a70e2d378ac87385b1ccf2cffbbb30"},
-]
-
-[package.dependencies]
-python-dateutil = "*"
-pytz = "*"
-regex = "<2019.02.19 || >2019.02.19,<2021.8.27 || >2021.8.27"
-tzlocal = "*"
-
-[package.extras]
-calendars = ["convertdate", "hijri-converter"]
-fasttext = ["fasttext"]
-langdetect = ["langdetect"]
-
[[package]]
name = "deprecated"
version = "1.2.14"
@@ -749,18 +726,18 @@ all = ["email-validator (>=2.0.0)", "httpx (>=0.23.0)", "itsdangerous (>=1.1.0)"
[[package]]
name = "filelock"
-version = "3.13.3"
+version = "3.13.1"
description = "A platform independent file lock."
optional = false
python-versions = ">=3.8"
files = [
- {file = "filelock-3.13.3-py3-none-any.whl", hash = "sha256:5ffa845303983e7a0b7ae17636509bc97997d58afeafa72fb141a17b152284cb"},
- {file = "filelock-3.13.3.tar.gz", hash = "sha256:a79895a25bbefdf55d1a2a0a80968f7dbb28edcd6d4234a0afb3f37ecde4b546"},
+ {file = "filelock-3.13.1-py3-none-any.whl", hash = "sha256:57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c"},
+ {file = "filelock-3.13.1.tar.gz", hash = "sha256:521f5f56c50f8426f5e03ad3b281b490a87ef15bc6c526f168290f0c7148d44e"},
]
[package.extras]
-docs = ["furo (>=2023.9.10)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"]
-testing = ["covdefaults (>=2.3)", "coverage (>=7.3.2)", "diff-cover (>=8.0.1)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)", "pytest-timeout (>=2.2)"]
+docs = ["furo (>=2023.9.10)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.24)"]
+testing = ["covdefaults (>=2.3)", "coverage (>=7.3.2)", "diff-cover (>=8)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)", "pytest-timeout (>=2.2)"]
typing = ["typing-extensions (>=4.8)"]
[[package]]
@@ -776,13 +753,13 @@ files = [
[[package]]
name = "google-auth"
-version = "2.29.0"
+version = "2.28.1"
description = "Google Authentication Library"
optional = false
python-versions = ">=3.7"
files = [
- {file = "google-auth-2.29.0.tar.gz", hash = "sha256:672dff332d073227550ffc7457868ac4218d6c500b155fe6cc17d2b13602c360"},
- {file = "google_auth-2.29.0-py2.py3-none-any.whl", hash = "sha256:d452ad095688cd52bae0ad6fafe027f6a6d6f560e810fec20914e17a09526415"},
+ {file = "google-auth-2.28.1.tar.gz", hash = "sha256:34fc3046c257cedcf1622fc4b31fc2be7923d9b4d44973d481125ecc50d83885"},
+ {file = "google_auth-2.28.1-py2.py3-none-any.whl", hash = "sha256:25141e2d7a14bfcba945f5e9827f98092716e99482562f15306e5b026e21aa72"},
]
[package.dependencies]
@@ -883,22 +860,22 @@ files = [
[[package]]
name = "importlib-metadata"
-version = "7.1.0"
+version = "7.0.1"
description = "Read metadata from Python packages"
optional = false
python-versions = ">=3.8"
files = [
- {file = "importlib_metadata-7.1.0-py3-none-any.whl", hash = "sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570"},
- {file = "importlib_metadata-7.1.0.tar.gz", hash = "sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2"},
+ {file = "importlib_metadata-7.0.1-py3-none-any.whl", hash = "sha256:4805911c3a4ec7c3966410053e9ec6a1fecd629117df5adee56dfc9432a1081e"},
+ {file = "importlib_metadata-7.0.1.tar.gz", hash = "sha256:f238736bb06590ae52ac1fab06a3a9ef1d8dce2b7a35b5ab329371d6c8f5d2cc"},
]
[package.dependencies]
zipp = ">=0.5"
[package.extras]
-docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-lint"]
perf = ["ipython"]
-testing = ["flufl.flake8", "importlib-resources (>=1.3)", "jaraco.test (>=5.4)", "packaging", "pyfakefs", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy", "pytest-perf (>=0.9.2)", "pytest-ruff (>=0.2.1)"]
+testing = ["flufl.flake8", "importlib-resources (>=1.3)", "packaging", "pyfakefs", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy (>=0.9.1)", "pytest-perf (>=0.9.2)", "pytest-ruff"]
[[package]]
name = "ipwhois"
@@ -993,13 +970,13 @@ referencing = ">=0.31.0"
[[package]]
name = "kombu"
-version = "5.3.6"
+version = "5.3.5"
description = "Messaging library for Python."
optional = false
python-versions = ">=3.8"
files = [
- {file = "kombu-5.3.6-py3-none-any.whl", hash = "sha256:49f1e62b12369045de2662f62cc584e7df83481a513db83b01f87b5b9785e378"},
- {file = "kombu-5.3.6.tar.gz", hash = "sha256:f3da5b570a147a5da8280180aa80b03807283d63ea5081fcdb510d18242431d9"},
+ {file = "kombu-5.3.5-py3-none-any.whl", hash = "sha256:0eac1bbb464afe6fb0924b21bf79460416d25d8abc52546d4f16cad94f789488"},
+ {file = "kombu-5.3.5.tar.gz", hash = "sha256:30e470f1a6b49c70dc6f6d13c3e4cc4e178aa6c469ceb6bcd55645385fc84b93"},
]
[package.dependencies]
@@ -1016,7 +993,7 @@ mongodb = ["pymongo (>=4.1.1)"]
msgpack = ["msgpack"]
pyro = ["pyro4"]
qpid = ["qpid-python (>=0.26)", "qpid-tools (>=0.26)"]
-redis = ["redis (>=4.5.2,!=4.5.5,!=5.0.2)"]
+redis = ["redis (>=4.5.2,!=4.5.5,<6.0.0)"]
slmq = ["softlayer-messaging (>=1.0.3)"]
sqlalchemy = ["sqlalchemy (>=1.4.48,<2.1)"]
sqs = ["boto3 (>=1.26.143)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
@@ -1204,38 +1181,38 @@ files = [
[[package]]
name = "mypy"
-version = "1.9.0"
+version = "1.8.0"
description = "Optional static typing for Python"
optional = false
python-versions = ">=3.8"
files = [
- {file = "mypy-1.9.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f8a67616990062232ee4c3952f41c779afac41405806042a8126fe96e098419f"},
- {file = "mypy-1.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d357423fa57a489e8c47b7c85dfb96698caba13d66e086b412298a1a0ea3b0ed"},
- {file = "mypy-1.9.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:49c87c15aed320de9b438ae7b00c1ac91cd393c1b854c2ce538e2a72d55df150"},
- {file = "mypy-1.9.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:48533cdd345c3c2e5ef48ba3b0d3880b257b423e7995dada04248725c6f77374"},
- {file = "mypy-1.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:4d3dbd346cfec7cb98e6cbb6e0f3c23618af826316188d587d1c1bc34f0ede03"},
- {file = "mypy-1.9.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:653265f9a2784db65bfca694d1edd23093ce49740b2244cde583aeb134c008f3"},
- {file = "mypy-1.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3a3c007ff3ee90f69cf0a15cbcdf0995749569b86b6d2f327af01fd1b8aee9dc"},
- {file = "mypy-1.9.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2418488264eb41f69cc64a69a745fad4a8f86649af4b1041a4c64ee61fc61129"},
- {file = "mypy-1.9.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:68edad3dc7d70f2f17ae4c6c1b9471a56138ca22722487eebacfd1eb5321d612"},
- {file = "mypy-1.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:85ca5fcc24f0b4aeedc1d02f93707bccc04733f21d41c88334c5482219b1ccb3"},
- {file = "mypy-1.9.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aceb1db093b04db5cd390821464504111b8ec3e351eb85afd1433490163d60cd"},
- {file = "mypy-1.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:0235391f1c6f6ce487b23b9dbd1327b4ec33bb93934aa986efe8a9563d9349e6"},
- {file = "mypy-1.9.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d4d5ddc13421ba3e2e082a6c2d74c2ddb3979c39b582dacd53dd5d9431237185"},
- {file = "mypy-1.9.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:190da1ee69b427d7efa8aa0d5e5ccd67a4fb04038c380237a0d96829cb157913"},
- {file = "mypy-1.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:fe28657de3bfec596bbeef01cb219833ad9d38dd5393fc649f4b366840baefe6"},
- {file = "mypy-1.9.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:e54396d70be04b34f31d2edf3362c1edd023246c82f1730bbf8768c28db5361b"},
- {file = "mypy-1.9.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:5e6061f44f2313b94f920e91b204ec600982961e07a17e0f6cd83371cb23f5c2"},
- {file = "mypy-1.9.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:81a10926e5473c5fc3da8abb04119a1f5811a236dc3a38d92015cb1e6ba4cb9e"},
- {file = "mypy-1.9.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:b685154e22e4e9199fc95f298661deea28aaede5ae16ccc8cbb1045e716b3e04"},
- {file = "mypy-1.9.0-cp38-cp38-win_amd64.whl", hash = "sha256:5d741d3fc7c4da608764073089e5f58ef6352bedc223ff58f2f038c2c4698a89"},
- {file = "mypy-1.9.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:587ce887f75dd9700252a3abbc9c97bbe165a4a630597845c61279cf32dfbf02"},
- {file = "mypy-1.9.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f88566144752999351725ac623471661c9d1cd8caa0134ff98cceeea181789f4"},
- {file = "mypy-1.9.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:61758fabd58ce4b0720ae1e2fea5cfd4431591d6d590b197775329264f86311d"},
- {file = "mypy-1.9.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e49499be624dead83927e70c756970a0bc8240e9f769389cdf5714b0784ca6bf"},
- {file = "mypy-1.9.0-cp39-cp39-win_amd64.whl", hash = "sha256:571741dc4194b4f82d344b15e8837e8c5fcc462d66d076748142327626a1b6e9"},
- {file = "mypy-1.9.0-py3-none-any.whl", hash = "sha256:a260627a570559181a9ea5de61ac6297aa5af202f06fd7ab093ce74e7181e43e"},
- {file = "mypy-1.9.0.tar.gz", hash = "sha256:3cc5da0127e6a478cddd906068496a97a7618a21ce9b54bde5bf7e539c7af974"},
+ {file = "mypy-1.8.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:485a8942f671120f76afffff70f259e1cd0f0cfe08f81c05d8816d958d4577d3"},
+ {file = "mypy-1.8.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:df9824ac11deaf007443e7ed2a4a26bebff98d2bc43c6da21b2b64185da011c4"},
+ {file = "mypy-1.8.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2afecd6354bbfb6e0160f4e4ad9ba6e4e003b767dd80d85516e71f2e955ab50d"},
+ {file = "mypy-1.8.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:8963b83d53ee733a6e4196954502b33567ad07dfd74851f32be18eb932fb1cb9"},
+ {file = "mypy-1.8.0-cp310-cp310-win_amd64.whl", hash = "sha256:e46f44b54ebddbeedbd3d5b289a893219065ef805d95094d16a0af6630f5d410"},
+ {file = "mypy-1.8.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:855fe27b80375e5c5878492f0729540db47b186509c98dae341254c8f45f42ae"},
+ {file = "mypy-1.8.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4c886c6cce2d070bd7df4ec4a05a13ee20c0aa60cb587e8d1265b6c03cf91da3"},
+ {file = "mypy-1.8.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d19c413b3c07cbecf1f991e2221746b0d2a9410b59cb3f4fb9557f0365a1a817"},
+ {file = "mypy-1.8.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:9261ed810972061388918c83c3f5cd46079d875026ba97380f3e3978a72f503d"},
+ {file = "mypy-1.8.0-cp311-cp311-win_amd64.whl", hash = "sha256:51720c776d148bad2372ca21ca29256ed483aa9a4cdefefcef49006dff2a6835"},
+ {file = "mypy-1.8.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:52825b01f5c4c1c4eb0db253ec09c7aa17e1a7304d247c48b6f3599ef40db8bd"},
+ {file = "mypy-1.8.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:f5ac9a4eeb1ec0f1ccdc6f326bcdb464de5f80eb07fb38b5ddd7b0de6bc61e55"},
+ {file = "mypy-1.8.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:afe3fe972c645b4632c563d3f3eff1cdca2fa058f730df2b93a35e3b0c538218"},
+ {file = "mypy-1.8.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:42c6680d256ab35637ef88891c6bd02514ccb7e1122133ac96055ff458f93fc3"},
+ {file = "mypy-1.8.0-cp312-cp312-win_amd64.whl", hash = "sha256:720a5ca70e136b675af3af63db533c1c8c9181314d207568bbe79051f122669e"},
+ {file = "mypy-1.8.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:028cf9f2cae89e202d7b6593cd98db6759379f17a319b5faf4f9978d7084cdc6"},
+ {file = "mypy-1.8.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:4e6d97288757e1ddba10dd9549ac27982e3e74a49d8d0179fc14d4365c7add66"},
+ {file = "mypy-1.8.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f1478736fcebb90f97e40aff11a5f253af890c845ee0c850fe80aa060a267c6"},
+ {file = "mypy-1.8.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:42419861b43e6962a649068a61f4a4839205a3ef525b858377a960b9e2de6e0d"},
+ {file = "mypy-1.8.0-cp38-cp38-win_amd64.whl", hash = "sha256:2b5b6c721bd4aabaadead3a5e6fa85c11c6c795e0c81a7215776ef8afc66de02"},
+ {file = "mypy-1.8.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5c1538c38584029352878a0466f03a8ee7547d7bd9f641f57a0f3017a7c905b8"},
+ {file = "mypy-1.8.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4ef4be7baf08a203170f29e89d79064463b7fc7a0908b9d0d5114e8009c3a259"},
+ {file = "mypy-1.8.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7178def594014aa6c35a8ff411cf37d682f428b3b5617ca79029d8ae72f5402b"},
+ {file = "mypy-1.8.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ab3c84fa13c04aeeeabb2a7f67a25ef5d77ac9d6486ff33ded762ef353aa5592"},
+ {file = "mypy-1.8.0-cp39-cp39-win_amd64.whl", hash = "sha256:99b00bc72855812a60d253420d8a2eae839b0afa4938f09f4d2aa9bb4654263a"},
+ {file = "mypy-1.8.0-py3-none-any.whl", hash = "sha256:538fd81bb5e430cc1381a443971c0475582ff9f434c16cd46d2c66763ce85d9d"},
+ {file = "mypy-1.8.0.tar.gz", hash = "sha256:6ff8b244d7085a0b425b56d327b480c3b29cafbd2eff27316a004f9a7391ae07"},
]
[package.dependencies]
@@ -1357,13 +1334,13 @@ requests = "*"
[[package]]
name = "packaging"
-version = "24.0"
+version = "23.2"
description = "Core utilities for Python packages"
optional = false
python-versions = ">=3.7"
files = [
- {file = "packaging-24.0-py3-none-any.whl", hash = "sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5"},
- {file = "packaging-24.0.tar.gz", hash = "sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9"},
+ {file = "packaging-23.2-py3-none-any.whl", hash = "sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7"},
+ {file = "packaging-23.2.tar.gz", hash = "sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5"},
]
[[package]]
@@ -1503,13 +1480,13 @@ wcwidth = "*"
[[package]]
name = "publicsuffixlist"
-version = "0.10.0.20240403"
+version = "0.10.0.20240303"
description = "publicsuffixlist implement"
optional = false
python-versions = ">=2.6"
files = [
- {file = "publicsuffixlist-0.10.0.20240403-py2.py3-none-any.whl", hash = "sha256:a3c15de3f1c7ce49db23d354f24b664126e1f518f7986b653dc8a944a5ceeff1"},
- {file = "publicsuffixlist-0.10.0.20240403.tar.gz", hash = "sha256:0d082382bdf9979237dc158b68e41352742916104c5d4074271e234176de0595"},
+ {file = "publicsuffixlist-0.10.0.20240303-py2.py3-none-any.whl", hash = "sha256:58b11e02df9f06e6f535a7d7fa107491f6a66b5c115f3b392ee154fcb6278598"},
+ {file = "publicsuffixlist-0.10.0.20240303.tar.gz", hash = "sha256:9f30dcd5c2b3dbd3882c89a7ba1e5f0434c9e48b118e585c74659f339208ab3a"},
]
[package.extras]
@@ -1518,60 +1495,49 @@ update = ["requests"]
[[package]]
name = "pyasn1"
-version = "0.6.0"
+version = "0.5.1"
description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)"
optional = false
-python-versions = ">=3.8"
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7"
files = [
- {file = "pyasn1-0.6.0-py2.py3-none-any.whl", hash = "sha256:cca4bb0f2df5504f02f6f8a775b6e416ff9b0b3b16f7ee80b5a3153d9b804473"},
- {file = "pyasn1-0.6.0.tar.gz", hash = "sha256:3a35ab2c4b5ef98e17dfdec8ab074046fbda76e281c5a706ccd82328cfc8f64c"},
+ {file = "pyasn1-0.5.1-py2.py3-none-any.whl", hash = "sha256:4439847c58d40b1d0a573d07e3856e95333f1976294494c325775aeca506eb58"},
+ {file = "pyasn1-0.5.1.tar.gz", hash = "sha256:6d391a96e59b23130a5cfa74d6fd7f388dbbe26cc8f1edf39fdddf08d9d6676c"},
]
[[package]]
name = "pyasn1-modules"
-version = "0.4.0"
+version = "0.3.0"
description = "A collection of ASN.1-based protocols modules"
optional = false
-python-versions = ">=3.8"
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7"
files = [
- {file = "pyasn1_modules-0.4.0-py3-none-any.whl", hash = "sha256:be04f15b66c206eed667e0bb5ab27e2b1855ea54a842e5037738099e8ca4ae0b"},
- {file = "pyasn1_modules-0.4.0.tar.gz", hash = "sha256:831dbcea1b177b28c9baddf4c6d1013c24c3accd14a1873fffaa6a2e905f17b6"},
+ {file = "pyasn1_modules-0.3.0-py2.py3-none-any.whl", hash = "sha256:d3ccd6ed470d9ffbc716be08bd90efbd44d0734bc9303818f7336070984a162d"},
+ {file = "pyasn1_modules-0.3.0.tar.gz", hash = "sha256:5bd01446b736eb9d31512a30d46c1ac3395d676c6f3cafa4c03eb54b9925631c"},
]
[package.dependencies]
-pyasn1 = ">=0.4.6,<0.7.0"
-
-[[package]]
-name = "pycountry"
-version = "23.12.11"
-description = "ISO country, subdivision, language, currency and script definitions and their translations"
-optional = false
-python-versions = ">=3.8"
-files = [
- {file = "pycountry-23.12.11-py3-none-any.whl", hash = "sha256:2ff91cff4f40ff61086e773d61e72005fe95de4a57bfc765509db05695dc50ab"},
- {file = "pycountry-23.12.11.tar.gz", hash = "sha256:00569d82eaefbc6a490a311bfa84a9c571cff9ddbf8b0a4f4e7b4f868b4ad925"},
-]
+pyasn1 = ">=0.4.6,<0.6.0"
[[package]]
name = "pycparser"
-version = "2.22"
+version = "2.21"
description = "C parser in Python"
optional = false
-python-versions = ">=3.8"
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
files = [
- {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"},
- {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
+ {file = "pycparser-2.21-py2.py3-none-any.whl", hash = "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9"},
+ {file = "pycparser-2.21.tar.gz", hash = "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"},
]
[[package]]
name = "pydantic"
-version = "2.6.4"
+version = "2.6.3"
description = "Data validation using Python type hints"
optional = false
python-versions = ">=3.8"
files = [
- {file = "pydantic-2.6.4-py3-none-any.whl", hash = "sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5"},
- {file = "pydantic-2.6.4.tar.gz", hash = "sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6"},
+ {file = "pydantic-2.6.3-py3-none-any.whl", hash = "sha256:72c6034df47f46ccdf81869fddb81aade68056003900a8724a4f160700016a2a"},
+ {file = "pydantic-2.6.3.tar.gz", hash = "sha256:e07805c4c7f5c6826e33a1d4c9d47950d7eaf34868e2690f8594d2e30241f11f"},
]
[package.dependencies]
@@ -1735,19 +1701,19 @@ testutils = ["gitpython (>3)"]
[[package]]
name = "pymisp"
-version = "2.4.188"
+version = "2.4.186"
description = "Python API for MISP."
optional = false
-python-versions = "<4.0,>=3.8"
+python-versions = ">=3.8,<4.0"
files = [
- {file = "pymisp-2.4.188-py3-none-any.whl", hash = "sha256:454746ee717841cd1a9425ec6cffdaf99de595d8672685e0a61b7a233659480a"},
- {file = "pymisp-2.4.188.tar.gz", hash = "sha256:c2313d059a9f4d1221243fcda64fb8ae11603c1745e92d57c4071aad04336696"},
+ {file = "pymisp-2.4.186-py3-none-any.whl", hash = "sha256:bb8ae23d038848a86cf5d6a4c965dbed79e48cd6f671681b17f72410aecf07a0"},
+ {file = "pymisp-2.4.186.tar.gz", hash = "sha256:bdf2d54b297ad890418179b044dd4ea79821fccef723823919d12262e9794ca3"},
]
[package.dependencies]
deprecated = ">=1.2.14,<2.0.0"
publicsuffixlist = ">=0.10.0.20231214,<0.11.0.0"
-python-dateutil = ">=2.9.0.post0,<3.0.0"
+python-dateutil = ">=2.8.2,<3.0.0"
requests = ">=2.31.0,<3.0.0"
[package.extras]
@@ -1758,7 +1724,7 @@ fileobjects = ["lief (>=0.14.1,<0.15.0)", "pydeep2 (>=0.5.1,<0.6.0)", "python-ma
openioc = ["beautifulsoup4 (>=4.12.3,<5.0.0)"]
pdfexport = ["reportlab (>=4.1.0,<5.0.0)"]
url = ["pyfaup (>=1.2,<2.0)"]
-virustotal = ["validators (>=0.23.0,<0.24.0)"]
+virustotal = ["validators (>=0.22.0,<0.23.0)"]
[[package]]
name = "pyopenssl"
@@ -1924,17 +1890,17 @@ files = [
[[package]]
name = "redis"
-version = "5.0.3"
+version = "5.0.2"
description = "Python client for Redis database and key-value store"
optional = false
python-versions = ">=3.7"
files = [
- {file = "redis-5.0.3-py3-none-any.whl", hash = "sha256:5da9b8fe9e1254293756c16c008e8620b3d15fcc6dde6babde9541850e72a32d"},
- {file = "redis-5.0.3.tar.gz", hash = "sha256:4973bae7444c0fbed64a06b87446f79361cb7e4ec1538c022d696ed7a5015580"},
+ {file = "redis-5.0.2-py3-none-any.whl", hash = "sha256:4caa8e1fcb6f3c0ef28dba99535101d80934b7d4cd541bbb47f4a3826ee472d1"},
+ {file = "redis-5.0.2.tar.gz", hash = "sha256:3f82cc80d350e93042c8e6e7a5d0596e4dd68715babffba79492733e1f367037"},
]
[package.dependencies]
-async-timeout = {version = ">=4.0.3", markers = "python_full_version < \"3.11.3\""}
+async-timeout = ">=4.0.3"
[package.extras]
hiredis = ["hiredis (>=1.0.0)"]
@@ -1942,121 +1908,19 @@ ocsp = ["cryptography (>=36.0.1)", "pyopenssl (==20.0.1)", "requests (>=2.26.0)"
[[package]]
name = "referencing"
-version = "0.34.0"
+version = "0.33.0"
description = "JSON Referencing + Python"
optional = false
python-versions = ">=3.8"
files = [
- {file = "referencing-0.34.0-py3-none-any.whl", hash = "sha256:d53ae300ceddd3169f1ffa9caf2cb7b769e92657e4fafb23d34b93679116dfd4"},
- {file = "referencing-0.34.0.tar.gz", hash = "sha256:5773bd84ef41799a5a8ca72dc34590c041eb01bf9aa02632b4a973fb0181a844"},
+ {file = "referencing-0.33.0-py3-none-any.whl", hash = "sha256:39240f2ecc770258f28b642dd47fd74bc8b02484de54e1882b74b35ebd779bd5"},
+ {file = "referencing-0.33.0.tar.gz", hash = "sha256:c775fedf74bc0f9189c2a3be1c12fd03e8c23f4d371dce795df44e06c5b412f7"},
]
[package.dependencies]
attrs = ">=22.2.0"
rpds-py = ">=0.7.0"
-[[package]]
-name = "regex"
-version = "2023.12.25"
-description = "Alternative regular expression module, to replace re."
-optional = false
-python-versions = ">=3.7"
-files = [
- {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5"},
- {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8"},
- {file = "regex-2023.12.25-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5"},
- {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423"},
- {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f"},
- {file = "regex-2023.12.25-cp310-cp310-win32.whl", hash = "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630"},
- {file = "regex-2023.12.25-cp310-cp310-win_amd64.whl", hash = "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105"},
- {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6"},
- {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97"},
- {file = "regex-2023.12.25-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa"},
- {file = "regex-2023.12.25-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd"},
- {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4"},
- {file = "regex-2023.12.25-cp311-cp311-win32.whl", hash = "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87"},
- {file = "regex-2023.12.25-cp311-cp311-win_amd64.whl", hash = "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f"},
- {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715"},
- {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d"},
- {file = "regex-2023.12.25-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3"},
- {file = "regex-2023.12.25-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf"},
- {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d"},
- {file = "regex-2023.12.25-cp312-cp312-win32.whl", hash = "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5"},
- {file = "regex-2023.12.25-cp312-cp312-win_amd64.whl", hash = "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232"},
- {file = "regex-2023.12.25-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f"},
- {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347"},
- {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39"},
- {file = "regex-2023.12.25-cp37-cp37m-win32.whl", hash = "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c"},
- {file = "regex-2023.12.25-cp37-cp37m-win_amd64.whl", hash = "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445"},
- {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53"},
- {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64"},
- {file = "regex-2023.12.25-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"},
- {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756"},
- {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2"},
- {file = "regex-2023.12.25-cp38-cp38-win32.whl", hash = "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb"},
- {file = "regex-2023.12.25-cp38-cp38-win_amd64.whl", hash = "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697"},
- {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31"},
- {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7"},
- {file = "regex-2023.12.25-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6"},
- {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f"},
- {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20"},
- {file = "regex-2023.12.25-cp39-cp39-win32.whl", hash = "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9"},
- {file = "regex-2023.12.25-cp39-cp39-win_amd64.whl", hash = "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91"},
- {file = "regex-2023.12.25.tar.gz", hash = "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5"},
-]
-
[[package]]
name = "requests"
version = "2.31.0"
@@ -2094,13 +1958,13 @@ requests = ">=1.0.0"
[[package]]
name = "requests-oauthlib"
-version = "2.0.0"
+version = "1.3.1"
description = "OAuthlib authentication support for Requests."
optional = false
-python-versions = ">=3.4"
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
files = [
- {file = "requests-oauthlib-2.0.0.tar.gz", hash = "sha256:b3dffaebd884d8cd778494369603a9e7b58d29111bf6b41bdc2dcd87203af4e9"},
- {file = "requests_oauthlib-2.0.0-py2.py3-none-any.whl", hash = "sha256:7dd8a5c40426b779b0868c404bdef9768deccf22749cde15852df527e6269b36"},
+ {file = "requests-oauthlib-1.3.1.tar.gz", hash = "sha256:75beac4a47881eeb94d5ea5d6ad31ef88856affe2332b9aafb52c6452ccf0d7a"},
+ {file = "requests_oauthlib-1.3.1-py2.py3-none-any.whl", hash = "sha256:2577c501a2fb8d05a304c09d090d6e47c306fef15809d102b327cf8364bddab5"},
]
[package.dependencies]
@@ -2283,44 +2147,44 @@ pyasn1 = ">=0.1.3"
[[package]]
name = "ruff"
-version = "0.3.5"
+version = "0.3.0"
description = "An extremely fast Python linter and code formatter, written in Rust."
optional = false
python-versions = ">=3.7"
files = [
- {file = "ruff-0.3.5-py3-none-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", hash = "sha256:aef5bd3b89e657007e1be6b16553c8813b221ff6d92c7526b7e0227450981eac"},
- {file = "ruff-0.3.5-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:89b1e92b3bd9fca249153a97d23f29bed3992cff414b222fcd361d763fc53f12"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5e55771559c89272c3ebab23326dc23e7f813e492052391fe7950c1a5a139d89"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:dabc62195bf54b8a7876add6e789caae0268f34582333cda340497c886111c39"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3a05f3793ba25f194f395578579c546ca5d83e0195f992edc32e5907d142bfa3"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:dfd3504e881082959b4160ab02f7a205f0fadc0a9619cc481982b6837b2fd4c0"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:87258e0d4b04046cf1d6cc1c56fadbf7a880cc3de1f7294938e923234cf9e498"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:712e71283fc7d9f95047ed5f793bc019b0b0a29849b14664a60fd66c23b96da1"},
- {file = "ruff-0.3.5-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a532a90b4a18d3f722c124c513ffb5e5eaff0cc4f6d3aa4bda38e691b8600c9f"},
- {file = "ruff-0.3.5-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:122de171a147c76ada00f76df533b54676f6e321e61bd8656ae54be326c10296"},
- {file = "ruff-0.3.5-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d80a6b18a6c3b6ed25b71b05eba183f37d9bc8b16ace9e3d700997f00b74660b"},
- {file = "ruff-0.3.5-py3-none-musllinux_1_2_i686.whl", hash = "sha256:a7b6e63194c68bca8e71f81de30cfa6f58ff70393cf45aab4c20f158227d5936"},
- {file = "ruff-0.3.5-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:a759d33a20c72f2dfa54dae6e85e1225b8e302e8ac655773aff22e542a300985"},
- {file = "ruff-0.3.5-py3-none-win32.whl", hash = "sha256:9d8605aa990045517c911726d21293ef4baa64f87265896e491a05461cae078d"},
- {file = "ruff-0.3.5-py3-none-win_amd64.whl", hash = "sha256:dc56bb16a63c1303bd47563c60482a1512721053d93231cf7e9e1c6954395a0e"},
- {file = "ruff-0.3.5-py3-none-win_arm64.whl", hash = "sha256:faeeae9905446b975dcf6d4499dc93439b131f1443ee264055c5716dd947af55"},
- {file = "ruff-0.3.5.tar.gz", hash = "sha256:a067daaeb1dc2baf9b82a32dae67d154d95212080c80435eb052d95da647763d"},
+ {file = "ruff-0.3.0-py3-none-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", hash = "sha256:7deb528029bacf845bdbb3dbb2927d8ef9b4356a5e731b10eef171e3f0a85944"},
+ {file = "ruff-0.3.0-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:e1e0d4381ca88fb2b73ea0766008e703f33f460295de658f5467f6f229658c19"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2f7dbba46e2827dfcb0f0cc55fba8e96ba7c8700e0a866eb8cef7d1d66c25dcb"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:23dbb808e2f1d68eeadd5f655485e235c102ac6f12ad31505804edced2a5ae77"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3ef655c51f41d5fa879f98e40c90072b567c666a7114fa2d9fe004dffba00932"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:d0d3d7ef3d4f06433d592e5f7d813314a34601e6c5be8481cccb7fa760aa243e"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b08b356d06a792e49a12074b62222f9d4ea2a11dca9da9f68163b28c71bf1dd4"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9343690f95710f8cf251bee1013bf43030072b9f8d012fbed6ad702ef70d360a"},
+ {file = "ruff-0.3.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a1f3ed501a42f60f4dedb7805fa8d4534e78b4e196f536bac926f805f0743d49"},
+ {file = "ruff-0.3.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:cc30a9053ff2f1ffb505a585797c23434d5f6c838bacfe206c0e6cf38c921a1e"},
+ {file = "ruff-0.3.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:5da894a29ec018a8293d3d17c797e73b374773943e8369cfc50495573d396933"},
+ {file = "ruff-0.3.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:755c22536d7f1889be25f2baf6fedd019d0c51d079e8417d4441159f3bcd30c2"},
+ {file = "ruff-0.3.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:dd73fe7f4c28d317855da6a7bc4aa29a1500320818dd8f27df95f70a01b8171f"},
+ {file = "ruff-0.3.0-py3-none-win32.whl", hash = "sha256:19eacceb4c9406f6c41af806418a26fdb23120dfe53583df76d1401c92b7c14b"},
+ {file = "ruff-0.3.0-py3-none-win_amd64.whl", hash = "sha256:128265876c1d703e5f5e5a4543bd8be47c73a9ba223fd3989d4aa87dd06f312f"},
+ {file = "ruff-0.3.0-py3-none-win_arm64.whl", hash = "sha256:e3a4a6d46aef0a84b74fcd201a4401ea9a6cd85614f6a9435f2d33dd8cefbf83"},
+ {file = "ruff-0.3.0.tar.gz", hash = "sha256:0886184ba2618d815067cf43e005388967b67ab9c80df52b32ec1152ab49f53a"},
]
[[package]]
name = "setuptools"
-version = "69.2.0"
+version = "69.1.1"
description = "Easily download, build, install, upgrade, and uninstall Python packages"
optional = false
python-versions = ">=3.8"
files = [
- {file = "setuptools-69.2.0-py3-none-any.whl", hash = "sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c"},
- {file = "setuptools-69.2.0.tar.gz", hash = "sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e"},
+ {file = "setuptools-69.1.1-py3-none-any.whl", hash = "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56"},
+ {file = "setuptools-69.1.1.tar.gz", hash = "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"},
]
[package.extras]
docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-testing = ["build[virtualenv]", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "mypy (==1.9)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
[[package]]
@@ -2413,13 +2277,13 @@ requests = "*"
[[package]]
name = "tldextract"
-version = "5.1.2"
+version = "5.1.1"
description = "Accurately separates a URL's subdomain, domain, and public suffix, using the Public Suffix List (PSL). By default, this includes the public ICANN TLDs and their exceptions. You can optionally support the Public Suffix List's private domains as well."
optional = false
python-versions = ">=3.8"
files = [
- {file = "tldextract-5.1.2-py3-none-any.whl", hash = "sha256:4dfc4c277b6b97fa053899fcdb892d2dc27295851ab5fac4e07797b6a21b2e46"},
- {file = "tldextract-5.1.2.tar.gz", hash = "sha256:c9e17f756f05afb5abac04fe8f766e7e70f9fe387adb1859f0f52408ee060200"},
+ {file = "tldextract-5.1.1-py3-none-any.whl", hash = "sha256:b9c4510a8766d377033b6bace7e9f1f17a891383ced3c5d50c150f181e9e1cc2"},
+ {file = "tldextract-5.1.1.tar.gz", hash = "sha256:9b6dbf803cb5636397f0203d48541c0da8ba53babaf0e8a6feda2d88746813d4"},
]
[package.dependencies]
@@ -2429,8 +2293,7 @@ requests = ">=2.1.0"
requests-file = ">=1.4"
[package.extras]
-release = ["build", "twine"]
-testing = ["black", "mypy", "pytest", "pytest-gitignore", "pytest-mock", "responses", "ruff", "syrupy", "tox", "types-filelock", "types-requests"]
+testing = ["black", "mypy", "pytest", "pytest-gitignore", "pytest-mock", "responses", "ruff", "tox", "types-filelock", "types-requests"]
[[package]]
name = "tomli"
@@ -2487,23 +2350,6 @@ files = [
{file = "tzdata-2024.1.tar.gz", hash = "sha256:2674120f8d891909751c38abcdfd386ac0a5a1127954fbc332af6b5ceae07efd"},
]
-[[package]]
-name = "tzlocal"
-version = "5.2"
-description = "tzinfo object for the local timezone"
-optional = false
-python-versions = ">=3.8"
-files = [
- {file = "tzlocal-5.2-py3-none-any.whl", hash = "sha256:49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"},
- {file = "tzlocal-5.2.tar.gz", hash = "sha256:8d399205578f1a9342816409cc1e46a93ebd5755e39ea2d85334bea911bf0e6e"},
-]
-
-[package.dependencies]
-tzdata = {version = "*", markers = "platform_system == \"Windows\""}
-
-[package.extras]
-devenv = ["check-manifest", "pytest (>=4.3)", "pytest-cov", "pytest-mock (>=3.3)", "zest.releaser"]
-
[[package]]
name = "urllib3"
version = "2.2.1"
@@ -2765,21 +2611,20 @@ files = [
[[package]]
name = "zipp"
-version = "3.18.1"
+version = "3.17.0"
description = "Backport of pathlib-compatible object wrapper for zip files"
optional = false
python-versions = ">=3.8"
files = [
- {file = "zipp-3.18.1-py3-none-any.whl", hash = "sha256:206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b"},
- {file = "zipp-3.18.1.tar.gz", hash = "sha256:2884ed22e7d8961de1c9a05142eb69a247f120291bc0206a00a7642f09b5b715"},
+ {file = "zipp-3.17.0-py3-none-any.whl", hash = "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31"},
+ {file = "zipp-3.17.0.tar.gz", hash = "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"},
]
[package.extras]
-docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"]
-testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy", "pytest-ruff (>=0.2.1)"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-lint"]
+testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy (>=0.9.1)", "pytest-ruff"]
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-content-hash = "dabc8f6edfca97b7983905914200696ae83fe48a52c4b7094423643bf49c0d2d"
-
+content-hash = "57a08bd352325126a13a2843a05f06edd75bf97be48f5a54714349dc006853b4"
From ee57b20ae8d2dc12c0dd72d04d33e9eabafac2aa Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 09:59:11 +0200
Subject: [PATCH 65/69] Update pyproject.toml
---
pyproject.toml | 4 ----
1 file changed, 4 deletions(-)
diff --git a/pyproject.toml b/pyproject.toml
index b03d13a60..f0821c446 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -24,12 +24,8 @@ authlib = "^1.2.1"
itsdangerous = "^2.1.2"
pyyaml = "^6.0.1"
parameterized = "^0.9.0"
-artifacts = {git = "https://github.com/forensicartifacts/artifacts.git", rev = "main"}
-pycountry = "^23.12.11"
-dateparser = "^1.2.0"
yara-python = "^4.5.0"
-
[tool.poetry.group.dev.dependencies]
pylint = "^2.16.1"
mypy = "^1.0.0"
From 762621ac5c84fe449d796c98857fb974a8382dff Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 10:00:22 +0200
Subject: [PATCH 66/69] Update misp_to_yeti.py
fix linting
---
core/common/misp_to_yeti.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
index da4f080d8..982ebd7dc 100644
--- a/core/common/misp_to_yeti.py
+++ b/core/common/misp_to_yeti.py
@@ -909,6 +909,7 @@ def __import_exploit_poc(
self, invest: entity.Investigation, object_exploit_poc: MISPObject
):
poc_attr = object_exploit_poc.get_attributes_by_relation("poc")
+ print(poc_attr)
def __import_exploit(
self, invest: entity.Investigation, object_exploit: MISPObject
From c9c8887bc6c603a328e27a2a2ec9fdf2320c2cab Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 10:02:16 +0200
Subject: [PATCH 67/69] add dateparser
---
poetry.lock | 143 ++++++++++++++++++++++++++++++++++++++++++++++++-
pyproject.toml | 1 +
2 files changed, 143 insertions(+), 1 deletion(-)
diff --git a/poetry.lock b/poetry.lock
index c4e9f5812..d0d81907b 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -623,6 +623,28 @@ ssh = ["bcrypt (>=3.1.5)"]
test = ["pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
test-randomorder = ["pytest-randomly"]
+[[package]]
+name = "dateparser"
+version = "1.2.0"
+description = "Date parsing library designed to parse dates from HTML pages"
+optional = false
+python-versions = ">=3.7"
+files = [
+ {file = "dateparser-1.2.0-py2.py3-none-any.whl", hash = "sha256:0b21ad96534e562920a0083e97fd45fa959882d4162acc358705144520a35830"},
+ {file = "dateparser-1.2.0.tar.gz", hash = "sha256:7975b43a4222283e0ae15be7b4999d08c9a70e2d378ac87385b1ccf2cffbbb30"},
+]
+
+[package.dependencies]
+python-dateutil = "*"
+pytz = "*"
+regex = "<2019.02.19 || >2019.02.19,<2021.8.27 || >2021.8.27"
+tzlocal = "*"
+
+[package.extras]
+calendars = ["convertdate", "hijri-converter"]
+fasttext = ["fasttext"]
+langdetect = ["langdetect"]
+
[[package]]
name = "deprecated"
version = "1.2.14"
@@ -1921,6 +1943,108 @@ files = [
attrs = ">=22.2.0"
rpds-py = ">=0.7.0"
+[[package]]
+name = "regex"
+version = "2023.12.25"
+description = "Alternative regular expression module, to replace re."
+optional = false
+python-versions = ">=3.7"
+files = [
+ {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5"},
+ {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8"},
+ {file = "regex-2023.12.25-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5"},
+ {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423"},
+ {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f"},
+ {file = "regex-2023.12.25-cp310-cp310-win32.whl", hash = "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630"},
+ {file = "regex-2023.12.25-cp310-cp310-win_amd64.whl", hash = "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97"},
+ {file = "regex-2023.12.25-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa"},
+ {file = "regex-2023.12.25-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd"},
+ {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4"},
+ {file = "regex-2023.12.25-cp311-cp311-win32.whl", hash = "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87"},
+ {file = "regex-2023.12.25-cp311-cp311-win_amd64.whl", hash = "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d"},
+ {file = "regex-2023.12.25-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3"},
+ {file = "regex-2023.12.25-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf"},
+ {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d"},
+ {file = "regex-2023.12.25-cp312-cp312-win32.whl", hash = "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5"},
+ {file = "regex-2023.12.25-cp312-cp312-win_amd64.whl", hash = "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232"},
+ {file = "regex-2023.12.25-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f"},
+ {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347"},
+ {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39"},
+ {file = "regex-2023.12.25-cp37-cp37m-win32.whl", hash = "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c"},
+ {file = "regex-2023.12.25-cp37-cp37m-win_amd64.whl", hash = "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64"},
+ {file = "regex-2023.12.25-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"},
+ {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756"},
+ {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2"},
+ {file = "regex-2023.12.25-cp38-cp38-win32.whl", hash = "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb"},
+ {file = "regex-2023.12.25-cp38-cp38-win_amd64.whl", hash = "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7"},
+ {file = "regex-2023.12.25-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6"},
+ {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f"},
+ {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20"},
+ {file = "regex-2023.12.25-cp39-cp39-win32.whl", hash = "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9"},
+ {file = "regex-2023.12.25-cp39-cp39-win_amd64.whl", hash = "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91"},
+ {file = "regex-2023.12.25.tar.gz", hash = "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5"},
+]
+
[[package]]
name = "requests"
version = "2.31.0"
@@ -2350,6 +2474,23 @@ files = [
{file = "tzdata-2024.1.tar.gz", hash = "sha256:2674120f8d891909751c38abcdfd386ac0a5a1127954fbc332af6b5ceae07efd"},
]
+[[package]]
+name = "tzlocal"
+version = "5.2"
+description = "tzinfo object for the local timezone"
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "tzlocal-5.2-py3-none-any.whl", hash = "sha256:49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"},
+ {file = "tzlocal-5.2.tar.gz", hash = "sha256:8d399205578f1a9342816409cc1e46a93ebd5755e39ea2d85334bea911bf0e6e"},
+]
+
+[package.dependencies]
+tzdata = {version = "*", markers = "platform_system == \"Windows\""}
+
+[package.extras]
+devenv = ["check-manifest", "pytest (>=4.3)", "pytest-cov", "pytest-mock (>=3.3)", "zest.releaser"]
+
[[package]]
name = "urllib3"
version = "2.2.1"
@@ -2627,4 +2768,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-content-hash = "57a08bd352325126a13a2843a05f06edd75bf97be48f5a54714349dc006853b4"
+content-hash = "889ee6348cff5919c2879d2ee0d000aa5c6df31b60adefbad3c742d90aaced4a"
diff --git a/pyproject.toml b/pyproject.toml
index f0821c446..df8554cad 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -25,6 +25,7 @@ itsdangerous = "^2.1.2"
pyyaml = "^6.0.1"
parameterized = "^0.9.0"
yara-python = "^4.5.0"
+dateparser = "^1.2.0"
[tool.poetry.group.dev.dependencies]
pylint = "^2.16.1"
From bb178a2f86de950ccca76f342c4aadd184818c40 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 10:05:42 +0200
Subject: [PATCH 68/69] add pycountry
---
poetry.lock | 13 ++++++++++++-
pyproject.toml | 1 +
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/poetry.lock b/poetry.lock
index d0d81907b..287dee6f9 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1540,6 +1540,17 @@ files = [
[package.dependencies]
pyasn1 = ">=0.4.6,<0.6.0"
+[[package]]
+name = "pycountry"
+version = "23.12.11"
+description = "ISO country, subdivision, language, currency and script definitions and their translations"
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "pycountry-23.12.11-py3-none-any.whl", hash = "sha256:2ff91cff4f40ff61086e773d61e72005fe95de4a57bfc765509db05695dc50ab"},
+ {file = "pycountry-23.12.11.tar.gz", hash = "sha256:00569d82eaefbc6a490a311bfa84a9c571cff9ddbf8b0a4f4e7b4f868b4ad925"},
+]
+
[[package]]
name = "pycparser"
version = "2.21"
@@ -2768,4 +2779,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
[metadata]
lock-version = "2.0"
python-versions = ">=3.10,<3.12"
-content-hash = "889ee6348cff5919c2879d2ee0d000aa5c6df31b60adefbad3c742d90aaced4a"
+content-hash = "511dd695f7fc68624b205789e66a5c12a733e26b5c6620075aa340049226d9ef"
diff --git a/pyproject.toml b/pyproject.toml
index df8554cad..fd5450eec 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,6 +26,7 @@ pyyaml = "^6.0.1"
parameterized = "^0.9.0"
yara-python = "^4.5.0"
dateparser = "^1.2.0"
+pycountry = "^23.12.11"
[tool.poetry.group.dev.dependencies]
pylint = "^2.16.1"
From 0b6b0fbf072922b01e24e35d599a0cc2ba7870e4 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 3 Apr 2024 10:09:06 +0200
Subject: [PATCH 69/69] Update misp_event_objects.json
---
tests/misp_test_data/misp_event_objects.json | 2265 +-----------------
1 file changed, 1 insertion(+), 2264 deletions(-)
diff --git a/tests/misp_test_data/misp_event_objects.json b/tests/misp_test_data/misp_event_objects.json
index 3accad98f..9c63eeba7 100644
--- a/tests/misp_test_data/misp_event_objects.json
+++ b/tests/misp_test_data/misp_event_objects.json
@@ -1,2267 +1,4 @@
{
- "Event": {
- "id": "114",
- "orgc_id": "1",
- "org_id": "1",
- "date": "2024-03-01",
- "threat_level_id": "1",
- "info": "test for yeti",
- "published": false,
- "uuid": "82be29f1-dd28-4ede-9990-48374c4faf0a",
- "attribute_count": "94",
- "analysis": "0",
- "timestamp": "1710748448",
- "distribution": "1",
- "proposal_email_lock": false,
- "locked": false,
- "publish_timestamp": "0",
- "sharing_group_id": "0",
- "disable_correlation": false,
- "extends_uuid": "",
- "protected": null,
- "event_creator_email": "sebdraven@protonmail.com",
- "Org": {
- "id": "1",
- "name": "SCTIF",
- "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d",
- "local": true
- },
- "Orgc": {
- "id": "1",
- "name": "SCTIF",
- "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d",
- "local": true
- },
- "Attribute": [],
- "ShadowAttribute": [],
- "RelatedEvent": [
- {
- "Event": {
- "id": "93",
- "date": "2023-12-06",
- "threat_level_id": "1",
- "info": "Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers",
- "published": false,
- "uuid": "c9bc99a4-9207-4123-ac75-d02fd88a8138",
- "analysis": "0",
- "timestamp": "1701867257",
- "distribution": "1",
- "org_id": "1",
- "orgc_id": "1",
- "Org": {
- "id": "1",
- "name": "SCTIF",
- "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d"
- },
- "Orgc": {
- "id": "1",
- "name": "SCTIF",
- "uuid": "93f7ba22-2cfa-4214-bccd-9bec36f8056d"
- }
- }
- }
- ],
- "Galaxy": [],
- "Object": [
- {
- "id": "1035",
- "name": "c2-list",
- "meta-category": "network",
- "description": "List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis",
- "template_uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785",
- "template_version": "20230919",
- "event_id": "114",
- "uuid": "4017d4cc-284e-480e-9dc8-921dfc25f457",
- "timestamp": "1709310117",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10620",
- "type": "ip-src",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "7f017b41-13ba-4240-a449-3e6840739c26",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709308752",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1035",
- "object_relation": "c2-ip",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10621",
- "type": "ip-src",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "685a7a39-422c-4b70-a979-251c341d39e4",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709308752",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1035",
- "object_relation": "c2-ip",
- "first_seen": null,
- "last_seen": null,
- "value": "2.2.2.2",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10622",
- "type": "text",
- "category": "Attribution",
- "to_ids": false,
- "uuid": "b565cdc8-2bbc-4299-9f48-246aebf9172a",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709308752",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1035",
- "object_relation": "threat",
- "first_seen": null,
- "last_seen": null,
- "value": "malware mechant",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10623",
- "type": "ip-src|port",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "26a7ae6b-1a22-4331-8640-cbc90e5787d3",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709310117",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1035",
- "object_relation": "c2-ipport",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1|8888",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1036",
- "name": "btc-wallet",
- "meta-category": "financial",
- "description": "An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.",
- "template_uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4",
- "template_version": "3",
- "event_id": "114",
- "uuid": "bd116941-502f-45b3-ac21-2d70d0c9a907",
- "timestamp": "1709661209",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": "2024-03-03T00:00:00.000000+00:00",
- "last_seen": "2024-03-13T00:00:00.000000+00:00",
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10624",
- "type": "btc",
- "category": "Financial fraud",
- "to_ids": true,
- "uuid": "49e5c32d-901c-404e-b80f-7a240be96ade",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709656629",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1036",
- "object_relation": "wallet-address",
- "first_seen": "2024-03-03T00:00:00.000000+00:00",
- "last_seen": "2024-03-13T00:00:00.000000+00:00",
- "value": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10625",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "fe6eac0d-2f7d-4642-bb71-7520e992b5ea",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709661209",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1036",
- "object_relation": "BTC_received",
- "first_seen": "2024-03-03T00:00:00.000000+00:00",
- "last_seen": "2024-03-13T00:00:00.000000+00:00",
- "value": "0.5",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10626",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "33c7998b-16f5-41c1-ace4-b5ae8b1b618c",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709661209",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1036",
- "object_relation": "BTC_sent",
- "first_seen": "2024-03-03T00:00:00.000000+00:00",
- "last_seen": "2024-03-13T00:00:00.000000+00:00",
- "value": "0.8",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10627",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "9232f198-c0fd-48f5-9391-4d26a18bff2f",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709661209",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1036",
- "object_relation": "balance_BTC",
- "first_seen": "2024-03-03T00:00:00.000000+00:00",
- "last_seen": "2024-03-13T00:00:00.000000+00:00",
- "value": "1",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1037",
- "name": "av-signature",
- "meta-category": "misc",
- "description": "Antivirus detection signature",
- "template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
- "template_version": "1",
- "event_id": "114",
- "uuid": "2f2e5dea-0c4b-4e41-a15b-d428e3d841a3",
- "timestamp": "1709663597",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10628",
- "type": "text",
- "category": "Antivirus detection",
- "to_ids": false,
- "uuid": "98143267-5fe9-48c2-8519-584a4c659034",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709663597",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1037",
- "object_relation": "signature",
- "first_seen": null,
- "last_seen": null,
- "value": "malware_1872727",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10629",
- "type": "text",
- "category": "Antivirus detection",
- "to_ids": false,
- "uuid": "6bc5cba5-4484-499a-9e05-8f37fa671bde",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709663597",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1037",
- "object_relation": "software",
- "first_seen": null,
- "last_seen": null,
- "value": "Windows",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10630",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "a9c73a38-0f92-40ad-81fc-3f26bd4055b3",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709663597",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1037",
- "object_relation": "text",
- "first_seen": null,
- "last_seen": null,
- "value": "Vilain malware",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1038",
- "name": "command-line",
- "meta-category": "misc",
- "description": "Command line and options related to a specific command executed by a program, whether it is malicious or not.",
- "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
- "template_version": "1",
- "event_id": "114",
- "uuid": "06486300-27ed-47d6-94fd-b26261e68e6a",
- "timestamp": "1709718740",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10631",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "e5603d5f-c32f-4609-99af-6863868c47ab",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709718740",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1038",
- "object_relation": "description",
- "first_seen": null,
- "last_seen": null,
- "value": "mechant malware",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10632",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "7a9ac133-1592-4b50-bc52-d99d74184081",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709718740",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1038",
- "object_relation": "value",
- "first_seen": null,
- "last_seen": null,
- "value": "cmd.exe --mechant malware",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1039",
- "name": "cookie",
- "meta-category": "network",
- "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser \u2014 keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.",
- "template_uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",
- "template_version": "6",
- "event_id": "114",
- "uuid": "449d6cd4-39cb-4cd5-96e2-655963900f87",
- "timestamp": "1709720828",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10633",
- "type": "cookie",
- "category": "Network activity",
- "to_ids": false,
- "uuid": "3f74b060-02a8-49b3-b0bc-61596f787aca",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1039",
- "object_relation": "cookie",
- "first_seen": null,
- "last_seen": null,
- "value": "MTA3NTg1NTM5Mg==",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10634",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "a865fa81-627e-4cea-a3f2-72fc2a51b266",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1039",
- "object_relation": "cookie-name",
- "first_seen": null,
- "last_seen": null,
- "value": "MTA3NTg1NTM5Mg==",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10635",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "35f5eeb1-e7dd-420f-acaf-f9620d5ae29e",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1039",
- "object_relation": "cookie-value",
- "first_seen": null,
- "last_seen": null,
- "value": "MTA3NTg1NTM5Mg==",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10636",
- "type": "datetime",
- "category": "Other",
- "to_ids": false,
- "uuid": "b29d314d-81ba-4123-8887-c5fa3497c65b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1039",
- "object_relation": "expires",
- "first_seen": null,
- "last_seen": null,
- "value": "2024-06-03T00:00:00.000000+0000",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10637",
- "type": "boolean",
- "category": "Other",
- "to_ids": false,
- "uuid": "e38c81cd-2333-4203-ba20-e00ac387992f",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1039",
- "object_relation": "http-only",
- "first_seen": null,
- "last_seen": null,
- "value": "1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10638",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "0e2153cb-5374-4e6b-9aa1-511f1778f947",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1039",
- "object_relation": "path",
- "first_seen": null,
- "last_seen": null,
- "value": "/test/path",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10639",
- "type": "boolean",
- "category": "Other",
- "to_ids": false,
- "uuid": "1a7394be-e699-4bd4-9f60-2e1fb1e8841b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1039",
- "object_relation": "secure",
- "first_seen": null,
- "last_seen": null,
- "value": "1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10640",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "55740096-fa6e-4221-a3ef-ca4fad63e378",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709720828",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1039",
- "object_relation": "text",
- "first_seen": null,
- "last_seen": null,
- "value": "Chinoxy Cookie",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1040",
- "name": "crowdsec-ip-context",
- "meta-category": "network",
- "description": "CrowdSec Threat Intelligence - IP CTI search",
- "template_uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f",
- "template_version": "3",
- "event_id": "114",
- "uuid": "8d7293ee-6840-4bb4-ad28-b9ac8280d4e8",
- "timestamp": "1709808045",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10641",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "d37e69f4-c220-4720-9e80-4c24299ff818",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "trust",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10642",
- "type": "ip-src",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "8b13f982-eaf4-4cf7-8e8b-207e89453ecb",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "ip",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10643",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "40a0d8b2-c1c2-452d-b9df-c026006d7cda",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "scores",
- "first_seen": null,
- "last_seen": null,
- "value": "10",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10644",
- "type": "hostname",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "9f60442b-8584-453f-b008-53c4e806db89",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "reverse-dns",
- "first_seen": null,
- "last_seen": null,
- "value": "toto.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10645",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "5c8fce70-084b-492f-bd94-988472deba62",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "longitude",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10646",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "d489b90e-5263-41c0-baaa-4ed4e62ec55d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "latitude",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10647",
- "type": "ip-src",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "36f12ed5-0a3e-4599-bdbb-276d49a77924",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "ip-range",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.0/24",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10648",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "942491a7-5f67-41e6-831b-bd1c5f69172d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "false-positives",
- "first_seen": null,
- "last_seen": null,
- "value": "NO",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10649",
- "type": "port",
- "category": "Network activity",
- "to_ids": false,
- "uuid": "a857a881-0538-4672-9fab-11257f93e034",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "dst-port",
- "first_seen": null,
- "last_seen": null,
- "value": "80",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10650",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "5a9ce51c-ab14-4fa3-8675-fe7050a6f858",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "country",
- "first_seen": null,
- "last_seen": null,
- "value": "France",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10651",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "1ee369e6-aa0d-45fc-a371-8d65f5bc0c02",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "classifications",
- "first_seen": null,
- "last_seen": null,
- "value": "Malicious",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10652",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "ab28a6ee-8a07-419e-9c35-2fe0d6949e6c",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "city",
- "first_seen": null,
- "last_seen": null,
- "value": "Paris",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10653",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "27312d85-8a27-458b-be82-36458f71b63a",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "behaviors",
- "first_seen": null,
- "last_seen": null,
- "value": "Scan",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10654",
- "type": "float",
- "category": "Other",
- "to_ids": false,
- "uuid": "f5817800-c09c-44e6-ba29-766d6f373369",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1040",
- "object_relation": "background-noise",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10655",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "2783d137-941d-4cc1-a704-fc3b18699814",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "attack-details",
- "first_seen": null,
- "last_seen": null,
- "value": "Scan",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10656",
- "type": "AS",
- "category": "Network activity",
- "to_ids": false,
- "uuid": "fa2f5ede-b5f0-4865-a0e0-fa96ee150c99",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "as-num",
- "first_seen": null,
- "last_seen": null,
- "value": "1234",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10657",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "55dd1fa8-5a4d-4bc5-a500-22309718d9be",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709807688",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "country-code",
- "first_seen": null,
- "last_seen": null,
- "value": "FR",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10658",
- "type": "AS",
- "category": "Network activity",
- "to_ids": false,
- "uuid": "b98acf92-8236-4e0e-b0f3-563be4708786",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709808045",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1040",
- "object_relation": "as-name",
- "first_seen": null,
- "last_seen": null,
- "value": "1234",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1041",
- "name": "cs-beacon-config",
- "meta-category": "file",
- "description": "Cobalt Strike Beacon Config",
- "template_uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
- "template_version": "3",
- "event_id": "114",
- "uuid": "9b822b13-01b2-4ea8-bdc5-43ddf783daba",
- "timestamp": "1709826473",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10659",
- "type": "url",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "fd5e7d03-fef1-4022-a631-46f0b935747b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "c2",
- "first_seen": null,
- "last_seen": null,
- "value": "https://url.cs",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10660",
- "type": "ip-dst",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "57e19849-9f2b-4ebd-af85-e060a569ee25",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "ip",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10661",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "d1df1e8e-4741-426c-8113-d5dd8446592f",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "license-id",
- "first_seen": null,
- "last_seen": null,
- "value": "1234567890",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10662",
- "type": "md5",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "c7ee8e7b-4ff4-41ad-ab4b-472d63cc6d41",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "md5",
- "first_seen": null,
- "last_seen": null,
- "value": "bc67462c4ee665dc75b59b41aa2855f2",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10663",
- "type": "sha1",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "4286581d-c3e5-4a6e-9652-cb1f6bf90de3",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "sha1",
- "first_seen": null,
- "last_seen": null,
- "value": "5a8584501da14a7830e2227dde846ec67ac7f64c",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10664",
- "type": "sha256",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "c0fcfd8c-5c21-4c51-9944-0a3f88e1daa8",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "sha256",
- "first_seen": null,
- "last_seen": null,
- "value": "32a0000b5dc0de6b7e55b661ef220e166007392b90ada97dd4ad3ef0bb265615",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10665",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "200187be-c799-4e09-9e68-6f3d00b18913",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1041",
- "object_relation": "city",
- "first_seen": null,
- "last_seen": null,
- "value": "Paris",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10666",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "944e171f-2a18-4c62-9736-eb680d91dffe",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1041",
- "object_relation": "geo",
- "first_seen": null,
- "last_seen": null,
- "value": "France",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10667",
- "type": "md5",
- "category": "External analysis",
- "to_ids": true,
- "uuid": "26c806fc-ea00-488b-85db-177b597da8f8",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "jar-md5",
- "first_seen": null,
- "last_seen": null,
- "value": "bc67462c4ee665dc75b59b41aa2855f2",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10668",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "0ef44b85-39f5-47c3-9ca1-9f82a1201e2c",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1041",
- "object_relation": "sector",
- "first_seen": null,
- "last_seen": null,
- "value": "Education",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10669",
- "type": "sha256",
- "category": "External analysis",
- "to_ids": true,
- "uuid": "9e47882d-0819-4475-a1ce-1500c6ec87e3",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "vt-sha256",
- "first_seen": null,
- "last_seen": null,
- "value": "32a0000b5dc0de6b7e55b661ef220e166007392b90ada97dd4ad3ef0bb265615",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10670",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "f52a2602-ec55-4fc0-a4a1-387f01881dd2",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709826473",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1041",
- "object_relation": "watermark",
- "first_seen": null,
- "last_seen": null,
- "value": "ZERTYUIOPLKJH",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1042",
- "name": "domain-ip",
- "meta-category": "network",
- "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
- "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
- "template_version": "11",
- "event_id": "114",
- "uuid": "896cdc82-64d5-4334-bc9c-31aa85dc55d1",
- "timestamp": "1709911414",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10671",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "62705eaa-b158-4bed-bdef-a25e11c07f12",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709911415",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1042",
- "object_relation": "domain",
- "first_seen": null,
- "last_seen": null,
- "value": "google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10672",
- "type": "hostname",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "48fbc23b-85cc-485d-90e3-00fcbf63a8a6",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709911415",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1042",
- "object_relation": "hostname",
- "first_seen": null,
- "last_seen": null,
- "value": "dns.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10673",
- "type": "ip-dst",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "6df0bd65-edc7-4a40-a2d9-54ae6aa35fdf",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709911415",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1042",
- "object_relation": "ip",
- "first_seen": null,
- "last_seen": null,
- "value": "8.8.8.8",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10674",
- "type": "port",
- "category": "Network activity",
- "to_ids": false,
- "uuid": "878a65e8-f870-484a-9fb1-36cb484707d8",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709911415",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1042",
- "object_relation": "port",
- "first_seen": null,
- "last_seen": null,
- "value": "53",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10675",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "6e939061-b00c-410e-82d8-295fb5f1b9db",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709911415",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1042",
- "object_relation": "text",
- "first_seen": null,
- "last_seen": null,
- "value": "dns google",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1043",
- "name": "dns-record",
- "meta-category": "network",
- "description": "A set of DNS records observed for a specific domain.",
- "template_uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9",
- "template_version": "2",
- "event_id": "114",
- "uuid": "17f7b3f3-640f-403f-8e02-533157a9dd74",
- "timestamp": "1709914685",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10676",
- "type": "ip-dst",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "d969a4ce-1ea5-44d4-808f-5178a3acca24",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "a-record",
- "first_seen": null,
- "last_seen": null,
- "value": "8.8.8.8",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10677",
- "type": "ip-dst",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "978fa705-0408-49c2-8b29-a6c3e3fad348",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "aaaa-record",
- "first_seen": null,
- "last_seen": null,
- "value": "fe80::dc23:da6a:903a:199a",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10678",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "37221d25-317c-4e16-a051-a74420183def",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "cname-record",
- "first_seen": null,
- "last_seen": null,
- "value": "cname.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10679",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "87dc197d-778c-4dae-9f8c-a6c8620e0a4b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "mx-record",
- "first_seen": null,
- "last_seen": null,
- "value": "mx.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10680",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "9bfd69fd-65ae-46da-8658-6707a4c61a73",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "ns-record",
- "first_seen": null,
- "last_seen": null,
- "value": "ns.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10681",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "6a65f02b-aa44-4ede-9bb6-2c4627d4683d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "ptr-record",
- "first_seen": null,
- "last_seen": null,
- "value": "ptr.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10682",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "5dc15655-ef0c-4ecf-93fe-4907229dde2d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "queried-domain",
- "first_seen": null,
- "last_seen": null,
- "value": "google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10683",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "90ec68a2-bc84-42dd-998d-a531193c4f6b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "soa-record",
- "first_seen": null,
- "last_seen": null,
- "value": "soa.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10684",
- "type": "ip-dst",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "aee5db87-93bc-4ab9-aae2-dccf8030b025",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "spf-record",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10685",
- "type": "domain",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "d0d4ecfe-df45-4800-8e2b-8a846c797633",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "srv-record",
- "first_seen": null,
- "last_seen": null,
- "value": "svr.google.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10686",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "7e4f909f-76fa-4b88-8dca-350cc19d4ddc",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "text",
- "first_seen": null,
- "last_seen": null,
- "value": "test google",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10687",
- "type": "text",
- "category": "Network activity",
- "to_ids": false,
- "uuid": "b5c51e3c-21a6-4a0e-8ca4-9f11d2c24105",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1709914685",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1043",
- "object_relation": "txt-record",
- "first_seen": null,
- "last_seen": null,
- "value": "maliciouuuuuuuus",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1044",
- "name": "directory",
- "meta-category": "file",
- "description": "Directory object describing a directory with meta-information",
- "template_uuid": "23ac6a02-1017-4ea6-a4df-148ed563988d",
- "template_version": "1",
- "event_id": "114",
- "uuid": "ec79de9c-f711-4883-ac62-e2a46637a0fd",
- "timestamp": "1710167623",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10688",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "125fb030-6e34-439c-a335-eb894b315fb1",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710167623",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1044",
- "object_relation": "path",
- "first_seen": null,
- "last_seen": null,
- "value": "/var/lib/mechant",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10689",
- "type": "datetime",
- "category": "Other",
- "to_ids": false,
- "uuid": "8db2f816-950d-4848-bc63-8ee5cda387c1",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710167623",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1044",
- "object_relation": "access-time",
- "first_seen": null,
- "last_seen": null,
- "value": "2024-03-11T14:32:39.000000+0000",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10690",
- "type": "datetime",
- "category": "Other",
- "to_ids": false,
- "uuid": "1e757cae-d0b0-478f-96ab-058b8a75e82d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710167623",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1044",
- "object_relation": "creation-time",
- "first_seen": null,
- "last_seen": null,
- "value": "2024-03-11T14:32:39.000000+0000",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10691",
- "type": "datetime",
- "category": "Other",
- "to_ids": false,
- "uuid": "769bcd9e-738c-4c8b-92a1-c48ade6009a3",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710167623",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1044",
- "object_relation": "modification-time",
- "first_seen": null,
- "last_seen": null,
- "value": "2024-03-11T14:32:39.000000+0000",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10692",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "9f98c812-a9c2-4b49-b139-ef301037138b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710167623",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1044",
- "object_relation": "path-encoding",
- "first_seen": null,
- "last_seen": null,
- "value": "BRF",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- },
- {
- "id": "1045",
- "name": "email",
- "meta-category": "network",
- "description": "Email object describing an email with meta-information",
- "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
- "template_version": "19",
- "event_id": "114",
- "uuid": "811b697d-e19d-4fe1-a396-1967c1c6f388",
- "timestamp": "1710748448",
- "distribution": "5",
- "sharing_group_id": "0",
- "comment": "",
- "deleted": false,
- "first_seen": null,
- "last_seen": null,
- "ObjectReference": [],
- "Attribute": [
- {
- "id": "10694",
- "type": "email-dst-display-name",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "af3a24c5-25d8-4696-9752-194ba8c64f9e",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "reply-to-display-name",
- "first_seen": null,
- "last_seen": null,
- "value": "replay-test",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10695",
- "type": "email-reply-to",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "655d763a-9512-4fa3-8ec3-6dced7de19f6",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "reply-to",
- "first_seen": null,
- "last_seen": null,
- "value": "reply@test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10696",
- "type": "email-subject",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "54df3237-4668-4659-be80-c1473e8d2233",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "subject",
- "first_seen": null,
- "last_seen": null,
- "value": "subject test",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10697",
- "type": "email-dst",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "4b772548-d324-4f14-8ffa-76350deb37a8",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "bcc",
- "first_seen": null,
- "last_seen": null,
- "value": "bbc@test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10698",
- "type": "email-dst",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "269ee214-63f1-4ffb-8c11-6a74a8ffb18e",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "to",
- "first_seen": null,
- "last_seen": null,
- "value": "to@test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10699",
- "type": "email-dst-display-name",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "2cd432b5-7326-414f-8cd4-55b4d3efdd62",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "to-display-name",
- "first_seen": null,
- "last_seen": null,
- "value": "to-display-test",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10700",
- "type": "domain",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "7580354c-82e4-4613-a2f0-04c35f032e54",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "from-domain",
- "first_seen": null,
- "last_seen": null,
- "value": "from.test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10701",
- "type": "email-src-display-name",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "9f5d7efc-c73b-42f0-9d76-bb2136398c32",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "from-display-name",
- "first_seen": null,
- "last_seen": null,
- "value": "from-display-test",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10702",
- "type": "email-src",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "d927fddc-884d-4d2d-81b6-eb9a6a8c406d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "from",
- "first_seen": null,
- "last_seen": null,
- "value": "from@test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10703",
- "type": "email-body",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "0fba1948-13a1-4001-8ab3-d001af7aef9e",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "email-body",
- "first_seen": null,
- "last_seen": null,
- "value": "blablablaba",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10704",
- "type": "email-dst-display-name",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "40589ccd-a3cb-4a3e-a90e-adf53e10c9f1",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "cc-display-name",
- "first_seen": null,
- "last_seen": null,
- "value": "cc-display-test",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10705",
- "type": "email-dst",
- "category": "Payload delivery",
- "to_ids": true,
- "uuid": "bc79c5fe-2a44-496c-8e4b-d2d368a30947",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "cc",
- "first_seen": null,
- "last_seen": null,
- "value": "cc@test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10706",
- "type": "email-dst-display-name",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "f1135dd9-5a0b-402b-802f-b2089b7c0014",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "bcc-display-name",
- "first_seen": null,
- "last_seen": null,
- "value": "bcc-display-name",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10707",
- "type": "text",
- "category": "Other",
- "to_ids": false,
- "uuid": "fa53a562-feb8-4d24-ad41-e2289d8cb238",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "user-agent",
- "first_seen": null,
- "last_seen": null,
- "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10708",
- "type": "email-thread-index",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "c4e5f653-77a5-421a-acb6-532d6c054d1b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "thread-index",
- "first_seen": null,
- "last_seen": null,
- "value": "1235",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10709",
- "type": "datetime",
- "category": "Other",
- "to_ids": false,
- "uuid": "72a78538-3663-4420-bbf5-7cdd17fdc13f",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "send-date",
- "first_seen": null,
- "last_seen": null,
- "value": "2024-03-18T00:00:00.000000+0000",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10710",
- "type": "ip-src",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "8dc24960-2f20-4970-9732-f4216fad2328",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "received-header-ip",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10711",
- "type": "hostname",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "36ac2aa4-6b14-41ec-bbf6-4626839e734d",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "received-header-hostname",
- "first_seen": null,
- "last_seen": null,
- "value": "received.test.com",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10712",
- "type": "email-message-id",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "b2b8e0b3-7050-4371-a218-d00b6aad4d26",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "message-id",
- "first_seen": null,
- "last_seen": null,
- "value": "1235",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10713",
- "type": "ip-src",
- "category": "Network activity",
- "to_ids": true,
- "uuid": "cf825b17-9c0c-4e4d-ac22-a47fdec5d79b",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": false,
- "object_id": "1045",
- "object_relation": "ip-src",
- "first_seen": null,
- "last_seen": null,
- "value": "1.1.1.1",
- "Galaxy": [],
- "ShadowAttribute": []
- },
- {
- "id": "10714",
- "type": "email-header",
- "category": "Payload delivery",
- "to_ids": false,
- "uuid": "209dbd9b-0bb9-408c-9850-a1f5a721cdc5",
- "event_id": "114",
- "distribution": "5",
- "timestamp": "1710748448",
- "comment": "",
- "sharing_group_id": "0",
- "deleted": false,
- "disable_correlation": true,
- "object_id": "1045",
- "object_relation": "header",
- "first_seen": null,
- "last_seen": null,
- "value": "test header",
- "Galaxy": [],
- "ShadowAttribute": []
- }
- ]
- }
- ],
- "EventReport": [],
- "CryptographicKey": []
- }
-}{
"Event": {
"id": "114",
"orgc_id": "1",
@@ -4718,4 +2455,4 @@
}
]
}
-}
+}
\ No newline at end of file