misp-galaxy/tools/tidal-api/README.md

67 lines
3.1 KiB
Markdown
Raw Normal View History

2024-02-22 09:18:18 +00:00
# Tidal Cyber API
This is a tool generating MISP galaxies and clusters from Tidal Cyber API.
## Endpoints
https://app-api.tidalcyber.com/api/v1/technique
https://app-api.tidalcyber.com/api/v1/references
https://app-api.tidalcyber.com/api/v1/tactic
https://app-api.tidalcyber.com/api/v1/campaigns/
https://app-api.tidalcyber.com/api/v1/software/
https://app-api.tidalcyber.com/api/v1/groups/
## Configuration
The configuration file is located in `config.json` and maps the fields of the Tidal API to the Galaxy and Cluster fields. It consists of the following sections:
- `UUID`: The UUID of the galaxy to be created
- `GALAXY_CONFIGS`: The configuration of the galaxies to be created in the `galaxies` folder of the MISP-galaxy repository
- `name`: The name of the galaxy
- `namespace`: The namespace of the galaxy
- `description`: The description of the galaxy
- `type`: The type of the galaxy
- `uuid`: The UUID of the galaxy (will be inserted from the `UUID` section)
- `CLUSTER_CONFIGS`: The configuration of the clusters to be created in the `clusters` folder of the MISP-galaxy repository
- `authors`: The authors of the cluster
- `category`: The category of the cluster
- `description`: The description of the cluster
- `name`: The name of the cluster
- `source`: The source of the cluster
- `type`: The type of the cluster
- `uuid`: The UUID of the cluster (will be inserted from the `UUID` section)
- `values`: The values of the cluster (will be inserted from the `VALUE_FIELDS` section)
- `VALUE_FIELDS`: Defines the mapping of the fields in the Tidal Cyber API to the fields in the MISP cluster values array
- `description`: The description of the cluster value
- `meta`: The metadata of the cluster value
- `related`: The related cluster values of the cluster value (you can define a `type` for each relation type in the config which will not be mapped to a field of the API)
- `uuid`: The UUID of the cluster value
- `value`: The value of the cluster value
>Note: The fields `meta` can be formatted as the format of the data the API provides sometimes does not match the format defined by the [MISP galaxy format](https://www.misp-standard.org/rfc/misp-standard-galaxy-format.html#name-conventions-and-terminology). You can configure this using an extraction configuration.
### Extraction Configuration
The extraction configuration is a dictionary that maps the fields of the Tidal Cyber API to the fields of the MISP galaxy. It can be used to extract data stored in a array or object in the API response. The extraction configuration looks like this:
```json
{
"extract": <mode>,
"key": <key>,
"subkey": <subkey>
}
```
**Extract modes**:
- `single`: Extracts a single value from the API response
- `multiple`: Extracts multiple values from the API response
- `reverse`: Gets the value of the key and writes it into an array (no subkey needed)
## Usage
```bash
python3 main.py create-galaxy -v <version> --type <galaxy_to_create>
```
To build all galaxies and clusters, run the following command:
```bash
python3 main.py create-galaxy -v <version> --all
```