forked from MISP/misp-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
goamlexport.py
237 lines (220 loc) · 12.3 KB
/
goamlexport.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
import json, datetime, base64
from pymisp import MISPEvent
from collections import defaultdict, Counter
misperrors = {'error': 'Error'}
moduleinfo = {'version': '1', 'author': 'Christian Studer',
'description': 'Export to GoAML',
'module-type': ['export'],
'require_standard_format': True}
moduleconfig = ['rentity_id']
mispattributes = {'input': ['MISPEvent'], 'output': ['xml file']}
outputFileExtension = "xml"
responseType = "application/xml"
objects_to_parse = ['transaction', 'bank-account', 'person', 'entity', 'geolocation']
goAMLmapping = {'bank-account': {'bank-account': 't_account', 'institution-name': 'institution_name',
'institution-code': 'institution_code', 'iban': 'iban', 'swift': 'swift',
'branch': 'branch', 'non-banking-institution': 'non_bank_institution',
'account': 'account', 'currency-code': 'currency_code',
'account-name': 'account_name', 'client-number': 'client_number',
'personal-account-type': 'personal_account_type', 'opened': 'opened',
'closed': 'closed', 'balance': 'balance', 'status-code': 'status_code',
'beneficiary': 'beneficiary', 'beneficiary-comment': 'beneficiary_comment',
'comments': 'comments'},
'person': {'person': 't_person', 'text': 'comments', 'first-name': 'first_name',
'middle-name': 'middle_name', 'last-name': 'last_name', 'title': 'title',
'mothers-name': 'mothers_name', 'alias': 'alias', 'date-of-birth': 'birthdate',
'place-of-birth': 'birth_place', 'gender': 'gender','nationality': 'nationality1',
'passport-number': 'passport_number', 'passport-country': 'passport_country',
'social-security-number': 'ssn', 'identity-card-number': 'id_number'},
'geolocation': {'geolocation': 'location', 'city': 'city', 'region': 'state',
'country': 'country_code', 'address': 'address', 'zipcode': 'zip'},
'transaction': {'transaction': 'transaction', 'transaction-number': 'transactionnumber',
'date': 'date_transaction', 'location': 'transaction_location',
'transmode-code': 'transmode_code', 'amount': 'amount_local',
'transmode-comment': 'transmode_comment', 'date-posting': 'date_posting',
'teller': 'teller', 'authorized': 'authorized',
'text': 'transaction_description'},
'legal-entity': {'legal-entity': 'entity', 'name': 'name', 'business': 'business',
'commercial-name': 'commercial_name', 'phone-number': 'phone',
'legal-form': 'incorporation_legal_form',
'registration-number': 'incorporation_number'}}
referencesMapping = {'bank-account': {'aml_type': '{}_account', 'bracket': 't_{}'},
'person': {'transaction': {'aml_type': '{}_person', 'bracket': 't_{}'}, 'bank-account': {'aml_type': 't_person', 'bracket': 'signatory'}},
'legal-entity': {'transaction': {'aml_type': '{}_entity', 'bracket': 't_{}'}, 'bank-account': {'aml_type': 't_entity'}},
'geolocation': {'aml_type': 'address', 'bracket': 'addresses'}}
class GoAmlGeneration(object):
def __init__(self, config):
self.config = config
self.parsed_uuids = defaultdict(list)
def from_event(self, event):
self.misp_event = MISPEvent()
self.misp_event.load(event)
def parse_objects(self):
uuids = defaultdict(list)
report_code = []
currency_code = []
for obj in self.misp_event.objects:
obj_type = obj.name
uuids[obj_type].append(obj.uuid)
if obj_type == 'bank-account':
try:
report_code.append(obj.get_attributes_by_relation('report-code')[0].value.split(' ')[0])
currency_code.append(obj.get_attributes_by_relation('currency-code')[0].value)
except:
print('report_code or currency_code error')
self.uuids, self.report_codes, self.currency_codes = uuids, report_code, currency_code
def build_xml(self):
self.xml = {'header': "<report><rentity_id>{}</rentity_id><submission_code>E</submission_code>".format(self.config),
'data': ""}
if "STR" in self.report_codes:
report_code = "STR"
else:
report_code = Counter(self.report_codes).most_common(1)[0][0]
self.xml['header'] += "<report_code>{}</report_code>".format(report_code)
submission_date = str(self.misp_event.timestamp).replace(' ', 'T')
self.xml['header'] += "<submission_date>{}</submission_date>".format(submission_date)
self.xml['header'] += "<currency_code_local>{}</currency_code_local>".format(Counter(self.currency_codes).most_common(1)[0][0])
for trans_uuid in self.uuids.get('transaction'):
self.itterate('transaction', 'transaction', trans_uuid, 'data')
person_to_parse = [person_uuid for person_uuid in self.uuids.get('person') if person_uuid not in self.parsed_uuids.get('person')]
if len(person_to_parse) == 1:
self.itterate('person', 'reporting_person', person_to_parse[0], 'header')
location_to_parse = [location_uuid for location_uuid in self.uuids.get('geolocation') if location_uuid not in self.parsed_uuids.get('geolocation')]
if len(location_to_parse) == 1:
self.itterate('geolocation', 'location', location_to_parse[0], 'header')
self.xml['data'] += "</report>"
def itterate(self, object_type, aml_type, uuid, xml_part):
obj = self.misp_event.get_object_by_uuid(uuid)
if object_type == 'transaction':
self.xml[xml_part] += "<{}>".format(aml_type)
self.fill_xml_transaction(object_type, obj.attributes, xml_part)
self.parsed_uuids[object_type].append(uuid)
if obj.ObjectReference:
self.parseObjectReferences(object_type, xml_part, obj.ObjectReference)
self.xml[xml_part] += "</{}>".format(aml_type)
else:
if 'to_' in aml_type or 'from_' in aml_type:
relation_type = aml_type.split('_')[0]
self.xml[xml_part] += "<{0}_funds_code>{1}</{0}_funds_code>".format(relation_type, self.from_and_to_fields[relation_type]['funds'].split(' ')[0])
self.itterate_normal_case(object_type, obj, aml_type, uuid, xml_part)
self.xml[xml_part] += "<{0}_country>{1}</{0}_country>".format(relation_type, self.from_and_to_fields[relation_type]['country'])
else:
self.itterate_normal_case(object_type, obj, aml_type, uuid, xml_part)
def itterate_normal_case(self, object_type, obj, aml_type, uuid, xml_part):
self.xml[xml_part] += "<{}>".format(aml_type)
self.fill_xml(object_type, obj, xml_part)
self.parsed_uuids[object_type].append(uuid)
if obj.ObjectReference:
self.parseObjectReferences(object_type, xml_part, obj.ObjectReference)
self.xml[xml_part] += "</{}>".format(aml_type)
def parseObjectReferences(self, object_type, xml_part, references):
for ref in references:
next_uuid = ref.referenced_uuid
next_object_type = ref.Object.get('name')
relationship_type = ref.relationship_type
self.parse_references(object_type, next_object_type, next_uuid, relationship_type, xml_part)
def fill_xml_transaction(self, object_type, attributes, xml_part):
from_and_to_fields = {'from': {}, 'to': {}}
for attribute in attributes:
object_relation = attribute.object_relation
attribute_value = attribute.value
if object_relation == 'date-posting':
self.xml[xml_part] += "<late_deposit>True</late_deposit>"
elif object_relation in ('from-funds-code', 'to-funds-code'):
relation_type, field, _ = object_relation.split('-')
from_and_to_fields[relation_type][field] = attribute_value
continue
elif object_relation in ('from-country', 'to-country'):
relation_type, field = object_relation.split('-')
from_and_to_fields[relation_type][field] = attribute_value
continue
try:
self.xml[xml_part] += "<{0}>{1}</{0}>".format(goAMLmapping[object_type][object_relation], attribute_value)
except KeyError:
pass
self.from_and_to_fields = from_and_to_fields
def fill_xml(self, object_type, obj, xml_part):
if obj.name == 'bank-account':
for attribute in obj.attributes:
if attribute.object_relation in ('personal-account-type', 'status-code'):
attribute_value = attribute.value.split(' - ')[0]
else:
attribute_value = attribute.value
try:
self.xml[xml_part] += "<{0}>{1}</{0}>".format(goAMLmapping[object_type][attribute.object_relation], attribute_value)
except KeyError:
pass
else:
for attribute in obj.attributes:
try:
self.xml[xml_part] += "<{0}>{1}</{0}>".format(goAMLmapping[object_type][attribute.object_relation], attribute.value)
except KeyError:
pass
def parse_references(self, object_type, next_object_type, uuid, relationship_type, xml_part):
reference = referencesMapping[next_object_type]
try:
next_aml_type = reference[object_type].get('aml_type').format(relationship_type.split('_')[0])
try:
bracket = reference[object_type].get('bracket').format(relationship_type)
self.xml[xml_part] += "<{}>".format(bracket)
self.itterate(next_object_type, next_aml_type, uuid, xml_part)
self.xml[xml_part] += "</{}>".format(bracket)
except KeyError:
self.itterate(next_object_type, next_aml_type, uuid, xml_part)
except KeyError:
next_aml_type = reference.get('aml_type').format(relationship_type.split('_')[0])
bracket = reference.get('bracket').format(relationship_type)
self.xml[xml_part] += "<{}>".format(bracket)
self.itterate(next_object_type, next_aml_type, uuid, xml_part)
self.xml[xml_part] += "</{}>".format(bracket)
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if 'data' not in request:
return False
if not request.get('config') and not request['config'].get('rentity_id'):
misperrors['error'] = "Configuration error."
return misperrors
config = request['config'].get('rentity_id')
export_doc = GoAmlGeneration(config)
export_doc.from_event(request['data'][0])
if not export_doc.misp_event.Object:
misperrors['error'] = "There is no object in this event."
return misperrors
types = []
for obj in export_doc.misp_event.Object:
types.append(obj.name)
if 'transaction' not in types:
misperrors['error'] = "There is no transaction object in this event."
return misperrors
export_doc.parse_objects()
export_doc.build_xml()
exp_doc = "{}{}".format(export_doc.xml.get('header'), export_doc.xml.get('data'))
return {'response': [], 'data': str(base64.b64encode(bytes(exp_doc, 'utf-8')), 'utf-8')}
def introspection():
modulesetup = {}
try:
responseType
modulesetup['responseType'] = responseType
except NameError:
pass
try:
userConfig
modulesetup['userConfig'] = userConfig
except NameError:
pass
try:
outputFileExtension
modulesetup['outputFileExtension'] = outputFileExtension
except NameError:
pass
try:
inputSource
moduleSetup['inputSource'] = inputSource
except NameError:
pass
return modulesetup
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo