Exporting to MISP objects with relationships

yampelo / beagle

Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.

MIT License

1.27k stars 146 forks source link

Exporting to MISP objects with relationships #9

Open adulau opened 5 years ago

adulau commented 5 years ago

Beagle is really cool. Looking at it, it could make sense to export the result of the analysis and especially a graph in MISP objects format with relationships (it's a kind of graph) into MISP. This would allow users to share investigations and discoveries.

yampelo commented 5 years ago

That sounds like a good idea. I'm guessing someone wouldn't want to add a full graph. I'll try to write something that maps specific Edge or Node objects to their MISP counterparts.

This should allow someone using the library to manipulate a networkX object, then use the set of nodes and edges they have to generate MISP objects.

adulau commented 5 years ago

Indeed from the networkX object it would be the cleanest. I need to dig to see what are the missing objects in MISP objects and maybe also in the relationships to map with your existing parsers in Beagle.

yampelo commented 5 years ago

I would focus on the objects in here: https://github.com/yampelo/beagle/tree/master/beagle/nodes rather than the parsers. The parser will only ever return instances of these classes (or subclasses of them)