misp-modules/misp_modules/modules/export_mod/nexthinkexport.py

"""
Export module for coverting MISP events into Nexthink NXQL queries.
Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py
Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation
"""

import base64
import json

misperrors = {"error": "Error"}

types_to_use = ['sha1', 'sha256', 'md5', 'domain']

userConfig = {

}

moduleconfig = ["Period"]
inputSource = ['event']

outputFileExtension = 'nxql'
responseType = 'application/txt'

moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',
              'description': 'Nexthink NXQL query export module',
              'module-type': ['export']}


def handle_sha1(value, period):
    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
(from (binary user device execution)
(where binary (eq sha1 (sha1 %s)))
(between now-%s now))
(limit 1000)
    ''' % (value, period)
    return query.replace('\n', ' ')


def handle_sha256(value, period):
    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
(from (binary user device execution)
(where binary (eq sha256 (sha256 %s)))
(between now-%s now))
(limit 1000)
    ''' % (value, period)
    return query.replace('\n', ' ')


def handle_md5(value, period):
    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
(from (binary user device execution)
(where binary (eq hash (md5 %s)))
(between now-%s now))
(limit 1000)
    ''' % (value, period)
    return query.replace('\n', ' ')


def handle_domain(value, period):
    query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths)
(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic))
(from (web_request device user binary executable destination domain port)
(where domain (eq name(string %s)))
(between now-%s now))
(limit 1000)
    ''' % (value, period)
    return query.replace('\n', ' ')


handlers = {
    'sha1': handle_sha1,
    'sha256': handle_sha256,
    'md5': handle_md5,
    'domain': handle_domain
}


def handler(q=False):
    if q is False:
        return False
    r = {'results': []}
    request = json.loads(q)
    config = request.get("config", {"Period": ""})
    output = ''

    for event in request["data"]:
        for attribute in event["Attribute"]:
            if attribute['type'] in types_to_use:
                output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
    r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
    return r


def introspection():
    modulesetup = {}
    try:
        responseType
        modulesetup['responseType'] = responseType
    except NameError:
        pass
    try:
        userConfig
        modulesetup['userConfig'] = userConfig
    except NameError:
        pass
    try:
        outputFileExtension
        modulesetup['outputFileExtension'] = outputFileExtension
    except NameError:
        pass
    try:
        inputSource
        modulesetup['inputSource'] = inputSource
    except NameError:
        pass
    return modulesetup


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`"""`
			`Export module for coverting MISP events into Nexthink NXQL queries.`
			`Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py`
added domain attributes support 2018-12-24 17:07:45 +01:00			`Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`"""`

			`import base64`
			`import json`

			`misperrors = {"error": "Error"}`

added domain attributes support 2018-12-24 17:07:45 +01:00			`types_to_use = ['sha1', 'sha256', 'md5', 'domain']`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00
			`userConfig = {`

			`}`

			`moduleconfig = ["Period"]`
			`inputSource = ['event']`

added domain attributes support 2018-12-24 17:07:45 +01:00			`outputFileExtension = 'nxql'`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`responseType = 'application/txt'`

			`moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',`
			`'description': 'Nexthink NXQL query export module',`
			`'module-type': ['export']}`

added 2 blank lines to comply w/ pep8 2018-12-26 08:33:21 +01:00
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`def handle_sha1(value, period):`
support for md5 and sha1 hashes 2018-12-24 16:40:31 +01:00			`query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))`
			`(from (binary user device execution)`
			`(where binary (eq sha1 (sha1 %s)))`
			`(between now-%s now))`
			`(limit 1000)`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`''' % (value, period)`
support for md5 and sha1 hashes 2018-12-24 16:40:31 +01:00			`return query.replace('\n', ' ')`

removed unused re module 2018-12-24 17:32:47 +01:00
added domain attributes support 2018-12-24 17:07:45 +01:00			`def handle_sha256(value, period):`
			`query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))`
			`(from (binary user device execution)`
			`(where binary (eq sha256 (sha256 %s)))`
			`(between now-%s now))`
			`(limit 1000)`
			`''' % (value, period)`
			`return query.replace('\n', ' ')`

removed unused re module 2018-12-24 17:32:47 +01:00
support for md5 and sha1 hashes 2018-12-24 16:40:31 +01:00			`def handle_md5(value, period):`
			`query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))`
			`(from (binary user device execution)`
			`(where binary (eq hash (md5 %s)))`
			`(between now-%s now))`
			`(limit 1000)`
			`''' % (value, period)`
			`return query.replace('\n', ' ')`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00
removed unused re module 2018-12-24 17:32:47 +01:00
added domain attributes support 2018-12-24 17:07:45 +01:00			`def handle_domain(value, period):`
			`query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths)`
			`(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic))`
			`(from (web_request device user binary executable destination domain port)`
			`(where domain (eq name(string %s)))`
			`(between now-%s now))`
			`(limit 1000)`
			`''' % (value, period)`
			`return query.replace('\n', ' ')`

removed unused re module 2018-12-24 17:32:47 +01:00
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`handlers = {`
support for md5 and sha1 hashes 2018-12-24 16:40:31 +01:00			`'sha1': handle_sha1,`
added domain attributes support 2018-12-24 17:07:45 +01:00			`'sha256': handle_sha256,`
			`'md5': handle_md5,`
			`'domain': handle_domain`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`}`

added 2 blank lines to comply w/ pep8 2018-12-26 08:33:21 +01:00
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`r = {'results': []}`
			`request = json.loads(q)`
			`config = request.get("config", {"Period": ""})`
			`output = ''`

			`for event in request["data"]:`
			`for attribute in event["Attribute"]:`
			`if attribute['type'] in types_to_use:`
fix: Pep8 related fixes. 2019-02-04 11:05:51 +01:00			`output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'`
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}`
			`return r`

removed unused re module 2018-12-24 17:32:47 +01:00
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`def introspection():`
			`modulesetup = {}`
			`try:`
			`responseType`
			`modulesetup['responseType'] = responseType`
			`except NameError:`
			`pass`
			`try:`
			`userConfig`
			`modulesetup['userConfig'] = userConfig`
			`except NameError:`
			`pass`
			`try:`
			`outputFileExtension`
			`modulesetup['outputFileExtension'] = outputFileExtension`
			`except NameError:`
			`pass`
			`try:`
			`inputSource`
			`modulesetup['inputSource'] = inputSource`
			`except NameError:`
			`pass`
			`return modulesetup`

removed unused re module 2018-12-24 17:32:47 +01:00
first export feature: sha1 attributes nxql query 2018-12-24 14:39:25 +01:00			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`