Pull request under review MISP/misp-modules#789
The XposedOrNot expansion module enriches email attributes in MISP with data-breach exposure: which breaches an address appears in, when, how many records were exposed, which data classes leaked, and how passwords were stored. It works both as a hover module (instant summary tooltip) and as an expansion module (one attribute per breach added to your event).
Hovering an email attribute shows a summary like:
Expanding adds one attribute per breach, each carrying the detail in its comment:
| Input | Output |
|---|---|
email, email-src, email-dst, target-email, whois-registrant-email |
text attributes (misp_standard format, correlation disabled) |
Once merged (pull request currently under review): the module ships with misp-modules. Update your misp-modules install, then enable xposedornot under Administration → Server Settings → Plugin settings → Enrichment.
Today (manual install): copy
xposedornot.py
into misp_modules/modules/expansion/ in your misp-modules installation and restart the
misp-modules service. No further configuration is required.
None required. The module uses the free, keyless community API out of the box.
Optionally, set api_key in the module's plugin settings (get a key at
plus.xposedornot.com) to switch
to the commercial Plus API with higher rate limits, recommended for busy instances.
Keyless community API: 2 requests/second, 25/hour, 100/day per IP. When the limit is reached the module returns a clear message rather than failing silently. The optional commercial key raises these limits.