forked from MISP/PyMISP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathload_csv.py
executable file
·87 lines (73 loc) · 3.57 KB
/
load_csv.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
from pathlib import Path
from pymisp.tools import CSVLoader
from pymisp import MISPEvent
try:
from keys import misp_url, misp_key, misp_verifycert
from pymisp import ExpandedPyMISP
offline = False
except ImportError as e:
offline = True
print(f'Unable to import MISP parameters, unable to POST on MISP: {e}')
'''
Example:
* If the CSV file has fieldnames matching the object-relation:
load_csv.py -n file -p /tmp/foo.csv
* If you want to force the fieldnames:
load_csv.py -n file -p /tmp/foo.csv -f SHA1 fileName size-in-bytes
'''
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Load a CSV file as MISP objects')
parser.add_argument("-n", "--object_name", type=str, required=True, help="Template name of the objects in the CSV.")
parser.add_argument("-p", "--path", required=True, type=Path, help="Path to the CSV file.")
parser.add_argument("-f", "--fieldnames", nargs='*', default=[], help="Fieldnames of the CSV, have to match the object-relation allowed in the template. If empty, the fieldnames of the CSV have to match the template.")
parser.add_argument("-s", "--skip_fieldnames", action='store_true', help="Skip fieldnames in the CSV.")
parser.add_argument("-d", "--dump", action='store_true', help="(Debug) Dump the object in the terminal.")
parser.add_argument("--delimiter", type=str, default=',', help="Delimiter between firlds in the CSV. Default: ','.")
parser.add_argument("--quotechar", type=str, default='"', help="Quote character of the fields in the CSV. Default: '\"'.")
# Interact with MISP
misp_group = parser.add_mutually_exclusive_group()
misp_group.add_argument('-i', '--new_event', type=str, help="Info field of the new event")
misp_group.add_argument('-u', '--update_event', type=int, help="ID of the existing event to update")
args = parser.parse_args()
if not args.fieldnames:
has_fieldnames = True
else:
has_fieldnames = args.skip_fieldnames
csv_loader = CSVLoader(template_name=args.object_name, csv_path=args.path,
fieldnames=args.fieldnames, has_fieldnames=has_fieldnames,
delimiter=args.delimiter, quotechar=args.quotechar)
objects = csv_loader.load()
if args.dump:
for o in objects:
print(o.to_json())
else:
if offline:
print('You are in offline mode, quitting.')
else:
misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
if args.new_event:
event = MISPEvent()
event.info = args.new_event
for o in objects:
event.add_object(**o)
new_event = misp.add_event(event, pythonify=True)
if isinstance(new_event, str):
print(new_event)
elif 'id' in new_event:
print(f'Created new event {new_event.id}')
else:
print('Something went wrong:')
print(new_event)
else:
for o in objects:
new_object = misp.add_object(args.update_event, o, pythonify=True)
if isinstance(new_object, str):
print(new_object)
elif new_object.attributes:
print(f'New {new_object.name} object added to {args.update_event}')
else:
print('Something went wrong:')
print(new_event)