SAM Bot creates MISP events from data fed to it from Slack in a code snippet.

The following fields are accepted by SAMbot and will be added to the MISP event.

• type:
• url: or kit: or creds: (it will also pickup any line with http or hxxp in it)
• ip:
• domain:
• ip-dst:
• ip-src:
• from: or source-email: or email-source
• subject:
• md5:
• sha1:
• sha256:
• tag:
• hash|filename:

Accepted fields for type are:

• phish
• malware
• bec/scam
• dump
• apt

Tags that are accepted are

• TLP:white
• TLP:green
• TLP:amber
• TLP:red

type: malware
Url: http://bad.biz/r1/asda.exe
ip: 8.8.8.8
ip-dst: 8.8.8.8
ip-src: 1.1.1.1
domain: bad.biz
from: [email protected]
subject: please transfer now
md5: c4c17055ea16183fbb6133b6e5cfb6f9
sha1: 17a5db6350140685d219f4f69dcc0e669a4f027e
sha256: 6b773f5367c1a6a108537b9ee17c95314158b1de0b5195eabb9a52eaf145b90a
hash|filename: 6b773f5367c1a6a108537b9ee17c95314158b1de0b5195eabb9a52eaf145b90a|asda.exe
tag: tlp:RED

Run the following:

pip3 install -r requirements.txt

• Add MISP URL and API key to config.json file
• Add Slack bot token to config.json file
• Add log name/location to config.json (Optional)

Import the machinetag.json file as a new taxonomy

$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json
$ paste contents

the bot requires that the following taxonomies are enable to run

• TLP
• IR8

config.json example

   "slack":{
   	"SLACK_BOT_TOKEN" : "xoxb-332250278039-yQQQom0PPoRz2QufGHlTnwg7"
   },
   "misp" : {
   	"url" : "https://misp.test.local",
   	"key" : "kTeD2m9yAHmuv9XYVB5vEAkrijTttwiO04LSQGAV"
   },
   "logging" : {
   	"output_file" : "/var/log/this_is_the_log.log",
   	"output_error_file": "/var/log/this_is_the_error_log.log"

   }
}