Automatically import results from VirusTotal queries into MISP objects

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for 3c7 from gravatar.com 3c7

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License (MIT)

Author: 3c7

Requires: Python >=3.8, <4.0

Classifiers

Project description

VirusTotal Query to MISP Objects (vt2m)

While there are multiple Python projects which implement the object creation based on single VirusTotal objects, this project aims to enable users to directly convert VirusTotal search queries to MISP objects. This is work in progress. Future release will implement handling URLs, Domain and IP objects, too. Right now, only file objects are implemented.

Installation

pip install vt2m

Usage

If you use the script frequently, passing the arguments as environment variables (MISP_URL, MISP_KEY, VT_KEY) can be useful to save some time. For example, this can be achieved through creating a shell script which passes the environment variables and executes the command with spaces in front, so it does not show up in the shell history.

Via --relations VirusTotal relations can be resolved and added as MISP objects with the specific relations, e.g. the following graph was created using vt2m: MISP Graph Graph created via vt2m --uuid <UUID> --limit 5 --relations dropped_files,execution_parents "behaviour_processes:\"ping -n 70\""

Params

usage: vt2m [-h] --uuid UUID [--url URL] [--key KEY] [--vt-key VT_KEY] [--comment COMMENT] [--limit LIMIT] [--relations RELATIONS] [--quiet]
            [--detections DETECTIONS]
            query

positional arguments:
  query                 VT query

optional arguments:
  -h, --help            show this help message and exit
  --uuid UUID, -u UUID  MISP event uuid
  --url URL, -U URL     MISP URL - can also be given as env MISP_URL
  --key KEY, -k KEY     MISP API key - can also be given as env MISP_KEY
  --vt-key VT_KEY, -K VT_KEY
                        VT API key - can also be given as env VT_KEY
  --comment COMMENT, -c COMMENT
                        Comment to add to MISP objects
  --limit LIMIT, -l LIMIT
                        Limit results of VT query - default is 100
  --relations RELATIONS, -r RELATIONS
                        Comma-seperated list of relations to request PER result (if type fits). This can burn your API credits. Currently
                        implemented: dropped_files, executing_parents, bundled_files
  --quiet, -q           Disable output. Stderr will still be printed.
  --detections DETECTIONS, -d DETECTIONS
                        Only consider related entities with at least X malicious detections.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for 3c7 from gravatar.com 3c7

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License (MIT)

Author: 3c7

Requires: Python >=3.8, <4.0

Classifiers

Release history Release notifications | RSS feed

0.1.17

0.1.16

0.1.15

0.1.14

0.1.13

0.1.12

0.1.11

0.1.10

0.1.9

0.1.8

This version

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vt2m-0.1.7.tar.gz (97.1 kB view hashes)

Uploaded Source

Built Distribution

vt2m-0.1.7-py3-none-any.whl (98.3 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page