SAM Bot creates MISP events from data fed to it from Slack in a code snippet.
The following fields are accepted by SAMbot and will be added to the MISP event.
- type:
- url: or kit: or creds: (it will also pickup any line with http or hxxp in it)
- ip:
- domain:
- ip-dst:
- ip-src:
- from: or source-email: or email-source
- subject:
- md5:
- sha1:
- sha256:
- tag:
- hash|filename:
Accepted fields for type are:
- phish
- malware
- bec/scam
- dump
- apt
Tags that are accepted are
- TLP:white
- TLP:green
- TLP:amber
- TLP:red
type: malware
Url: http://bad.biz/r1/asda.exe
ip: 8.8.8.8
ip-dst: 8.8.8.8
ip-src: 1.1.1.1
domain: bad.biz
from: phish@avalanche.ru
subject: please transfer now
md5: c4c17055ea16183fbb6133b6e5cfb6f9
sha1: 17a5db6350140685d219f4f69dcc0e669a4f027e
sha256: 6b773f5367c1a6a108537b9ee17c95314158b1de0b5195eabb9a52eaf145b90a
hash|filename: 6b773f5367c1a6a108537b9ee17c95314158b1de0b5195eabb9a52eaf145b90a|asda.exe
tag: tlp:RED
Run the following:
pip3 install -r requirements.txt
- Add MISP URL and API key to config.json file
- Add Slack bot token to config.json file
- Add log name/location to config.json (Optional)
Import the machinetag.json file as a new taxonomy
$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json
$ paste contents
the bot requires that the following taxonomies are enable to run
- TLP
- IR8
config.json example
"slack":{
"SLACK_BOT_TOKEN" : "xoxb-332250278039-yQQQom0PPoRz2QufGHlTnwg7"
},
"misp" : {
"url" : "https://misp.test.local",
"key" : "kTeD2m9yAHmuv9XYVB5vEAkrijTttwiO04LSQGAV"
},
"logging" : {
"output_file" : "/var/log/this_is_the_log.log",
"output_error_file": "/var/log/this_is_the_error_log.log"
}
}