Skip to main content

MISP modules are autonomous modules that can be used for expansion and other services in MISP

Project description

MISP modules

MISP modules logo

Build statusCoverage Status codecov

MISP modules are autonomous modules that can be used to extend MISP for new services such as expansion, import, export and workflow action.

MISP modules can be also installed and used without MISP as a standalone tool accessible via a convenient web interface or using a cli tool.

The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration and can be used with other tools. The API is also documented automatically via an OpenAPI end-point or a swagger file.

For more information: Extending MISP with Python modules slides from MISP training.

Installation

Installation instructions can be found in the installation documentation.

How to add your own MISP modules?

Developing a MISP module yourself is fairly easy. Start with a template or existing module and continue from there. More information can be found in the contribute section of the documentation.

Documentation

In order to provide documentation about some modules that require specific input / output / configuration, the documentation contains detailed information about the general purpose, requirements, features, input and ouput of each of these modules:

  • *description - quick description of the general purpose of the module, as the one given by the moduleinfo
  • requirements - special libraries needed to make the module work
  • features - description of the way to use the module, with the required MISP features to make the module give the intended result
  • references - link(s) giving additional information about the format concerned in the module
  • input - description of the format of data used in input
  • output - description of the format given as the result of the module execution

OpenAPI and API explorer

When the service is running you can discover the available endpoints in a machine-readable way via /openapi.json. An interactive Swagger UI that consumes the same specification is available at /openapi. The specification is generated during service startup, so restart misp-modules after adding or removing modules to refresh what those endpoints expose.

Licenses

For further Information see the license file.

Existing MISP modules

Expansion Modules

Export Modules

Import Modules

  • ANYRUN Sandbox Import - A module designed to retrieve an analysis report from the ANY.RUN Sandbox by its unique ID and extract results (such as verdict, malware tags, and IOCs), converting them into MISP attributes within your event.
  • PDNS COF Importer - Passive DNS Common Output Format (COF) MISP importer
  • CSV Import - Module to import MISP attributes from a csv file.
  • Cuckoo Sandbox Import - Module to import Cuckoo JSON.
  • Email Import - Email import module for MISP
  • GoAML Import - Module to import MISP objects about financial transactions from GoAML files.
  • Import Blueprint - Generic blueprint to be copy-pasted to quickly boostrap creation of import module.
  • Joe Sandbox Import - A module to import data from a Joe Sandbox analysis json report.
  • Lastline Import - Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. Module to import and parse reports from Lastline analysis links.
  • MISP JSON Import - Module to import MISP JSON format for merging MISP events.
  • OCR Import - Optical Character Recognition (OCR) module for MISP.
  • OpenIOC Import - Module to import OpenIOC packages.
  • TAXII 2.1 Import - Import content from a TAXII 2.1 server
  • CSV Test Import - Simple CSV import tool with mapable columns
  • ThreadAnalyzer Sandbox Import - Module to import ThreatAnalyzer archive.zip / analysis.json files.
  • URL Import - Simple URL import tool with Faup
  • VMRay API Import - Module to import VMRay (VTI) results.
  • VMRay Summary JSON Import - Import a VMRay Summary JSON report.

Action Modules

  • Export to Sentinel or Defender - Export indicators to Microsoft Sentinel or Microsoft Defender. Requires an existing installation of MISP2Sentinel or MISP2Defender.
  • Mattermost - Simplistic module to send message to a Mattermost channel.
  • Nextcloud talk - Simplistic module to send a message to a Nextcloud talk conversation.
  • Slack - Simplistic module to send messages to a Slack channel.
  • Test action - This module is merely a test, always returning true. Triggers on event publishing.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

misp_modules-3.0.8.tar.gz (466.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

misp_modules-3.0.8-py3-none-any.whl (595.6 kB view details)

Uploaded Python 3

File details

Details for the file misp_modules-3.0.8.tar.gz.

File metadata

  • Download URL: misp_modules-3.0.8.tar.gz
  • Upload date:
  • Size: 466.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for misp_modules-3.0.8.tar.gz
Algorithm Hash digest
SHA256 a3a6cc6e030abd3ab22f5805a46cce924bcaec50110b3cb6de824f8d37e876bf
MD5 00306cbce0e4170049a570495ad60575
BLAKE2b-256 359382262f93e72953b54055d607fdf6f356e77f537c3977610d767d2cf8f5d2

See more details on using hashes here.

Provenance

The following attestation bundles were made for misp_modules-3.0.8.tar.gz:

Publisher: release-package.yml on MISP/misp-modules

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file misp_modules-3.0.8-py3-none-any.whl.

File metadata

  • Download URL: misp_modules-3.0.8-py3-none-any.whl
  • Upload date:
  • Size: 595.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for misp_modules-3.0.8-py3-none-any.whl
Algorithm Hash digest
SHA256 59d111d7239c45cfe942267edbb6b30b204b3ab59deb16f49d54cff04a0e80b2
MD5 b9a9cad61a2d5da6872c0536d3ffdb52
BLAKE2b-256 a75450e490c191c0c567ae420fd6377bc30fca0b1754c48eb18dbb6e76177f2b

See more details on using hashes here.

Provenance

The following attestation bundles were made for misp_modules-3.0.8-py3-none-any.whl:

Publisher: release-package.yml on MISP/misp-modules

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page