misp-modules/misp_modules/modules/expansion/crowdstrike_falcon.py

import json
from . import check_input_attribute, standard_error_message
from falconpy import Intel
from pymisp import MISPAttribute, MISPEvent

moduleinfo = {'version': '0.2',
              'author': 'Christophe Vandeplas',
              'description': 'Module to query CrowdStrike Falcon.',
              'module-type': ['expansion', 'hover']}
moduleconfig = ['api_id', 'apikey']
misperrors = {'error': 'Error'}
misp_type_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
                 'filename', 'hostname', 'ip', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',
                 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
mapping_out = {  # mapping between the MISP attributes type and the compatible CrowdStrike indicator types.
    'domain': {'type': 'hostname', 'to_ids': True},
    'email_address': {'type': 'email-src', 'to_ids': True},
    'email_subject': {'type': 'email-subject', 'to_ids': True},
    'file_name': {'type': 'filename', 'to_ids': True},
    'hash_md5': {'type': 'md5', 'to_ids': True},
    'hash_sha1': {'type': 'sha1', 'to_ids': True},
    'hash_sha256': {'type': 'sha256', 'to_ids': True},
    'ip_address': {'type': 'ip-dst', 'to_ids': True},
    'ip_address_block': {'type': 'ip-dst', 'to_ids': True},
    'mutex_name': {'type': 'mutex', 'to_ids': True},
    'registry': {'type': 'regkey', 'to_ids': True},
    'url': {'type': 'url', 'to_ids': True},
    'user_agent': {'type': 'user-agent', 'to_ids': True},
    'x509_serial': {'type': 'x509-fingerprint-md5', 'to_ids': True},

    'actors': {'type': 'threat-actor', 'category': 'Attribution'},
    'malware_families': {'type': 'text', 'category': 'Attribution'}
}
misp_type_out = [item['type'] for item in mapping_out.values()]
mispattributes = {'input': misp_type_in, 'format': 'misp_standard'}

def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    #validate CrowdStrike params
    if (request.get('config')):
        if (request['config'].get('apikey') is None):
            misperrors['error'] = 'CrowdStrike apikey is missing'
            return misperrors
        if (request['config'].get('api_id') is None):
            misperrors['error'] = 'CrowdStrike api_id is missing'
            return misperrors

    #validate attribute
    if not request.get('attribute') or not check_input_attribute(request['attribute']):
        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
    attribute = request.get('attribute')
    if not any(input_type == attribute.get('type') for input_type in misp_type_in):
        return {'error': 'Unsupported attribute type.'}

    client = CSIntelAPI(request['config']['api_id'], request['config']['apikey'])

    attribute = MISPAttribute()
    attribute.from_dict(**request.get('attribute') )
    r = {"results": []}
    valid_type = False

    try:
        for k in misp_type_in:
            if attribute.type == k:
                # map the MISP type to the CrowdStrike type
                r['results'].append(lookup_indicator(client, attribute))
                valid_type = True
    except Exception as e:
        return {'error': f"{e}"}

    if not valid_type:
        misperrors['error'] = "Unsupported attributes type"
        return misperrors
    return {'results': r.get('results').pop()}


def lookup_indicator(client, ref_attribute):
    result = client.search_indicator(ref_attribute.value)
    misp_event = MISPEvent()
    misp_event.add_attribute(**ref_attribute)

    for item in result.get('resources', []):
        for relation in item.get('relations'):
            if mapping_out.get(relation.get('type')):
                r = mapping_out[relation.get('type')].copy()
                r['value'] = relation.get('indicator')
                attribute = MISPAttribute()
                attribute.from_dict(**r)
                misp_event.add_attribute(**attribute)
        for actor in item.get('actors'):
            r = mapping_out.get('actors').copy()
            r['value'] = actor
            attribute = MISPAttribute()
            attribute.from_dict(**r)
            misp_event.add_attribute(**attribute)
        if item.get('malware_families'):
            r = mapping_out.get('malware_families').copy()
            r['value'] = f"malware_families: {' | '.join(item.get('malware_families'))}"
            attribute = MISPAttribute()
            attribute.from_dict(**r)
            misp_event.add_attribute(**attribute)

    event = json.loads(misp_event.to_json())
    return {'Object': event.get('Object', []), 'Attribute': event.get('Attribute', [])}

def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo


class CSIntelAPI():
    def __init__(self, custid=None, custkey=None):
        # customer id and key should be passed when obj is created
        self.falcon = Intel(client_id=custid, client_secret=custkey)

    def search_indicator(self, query):
        r = self.falcon.query_indicator_entities(q=query)
        # 400 - bad request
        if r.get('status_code') == 400:
            raise Exception('HTTP Error 400 - Bad request.')

        # 404 - oh shit
        if r.get('status_code') == 404:
            raise Exception('HTTP Error 404 - awww snap.')

        # catch all?
        if r.get('status_code') != 200:
            raise Exception('HTTP Error: ' + str(r.get('status_code')))

        if len(r.get('body').get('errors')):
            raise Exception('API Error: ' + ' | '.join(r.get('body').get('errors')))

        return r.get('body', {})
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`import json`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`from . import check_input_attribute, standard_error_message`
			`from falconpy import Intel`
[crowdstrike_falcon] fix imports warning 2022-01-11 15:25:39 +01:00			`from pymisp import MISPAttribute, MISPEvent`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`moduleinfo = {'version': '0.2',`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`'author': 'Christophe Vandeplas',`
			`'description': 'Module to query CrowdStrike Falcon.',`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`'module-type': ['expansion', 'hover']}`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`moduleconfig = ['api_id', 'apikey']`
			`misperrors = {'error': 'Error'}`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`misp_type_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`'filename', 'hostname', 'ip', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',`
			`'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`mapping_out = { # mapping between the MISP attributes type and the compatible CrowdStrike indicator types.`
			`'domain': {'type': 'hostname', 'to_ids': True},`
			`'email_address': {'type': 'email-src', 'to_ids': True},`
			`'email_subject': {'type': 'email-subject', 'to_ids': True},`
			`'file_name': {'type': 'filename', 'to_ids': True},`
			`'hash_md5': {'type': 'md5', 'to_ids': True},`
			`'hash_sha1': {'type': 'sha1', 'to_ids': True},`
			`'hash_sha256': {'type': 'sha256', 'to_ids': True},`
			`'ip_address': {'type': 'ip-dst', 'to_ids': True},`
			`'ip_address_block': {'type': 'ip-dst', 'to_ids': True},`
			`'mutex_name': {'type': 'mutex', 'to_ids': True},`
			`'registry': {'type': 'regkey', 'to_ids': True},`
			`'url': {'type': 'url', 'to_ids': True},`
			`'user_agent': {'type': 'user-agent', 'to_ids': True},`
			`'x509_serial': {'type': 'x509-fingerprint-md5', 'to_ids': True},`

			`'actors': {'type': 'threat-actor', 'category': 'Attribution'},`
			`'malware_families': {'type': 'text', 'category': 'Attribution'}`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`}`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`misp_type_out = [item['type'] for item in mapping_out.values()]`
			`mispattributes = {'input': misp_type_in, 'format': 'misp_standard'}`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`#validate CrowdStrike params`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`if (request.get('config')):`
			`if (request['config'].get('apikey') is None):`
			`misperrors['error'] = 'CrowdStrike apikey is missing'`
			`return misperrors`
			`if (request['config'].get('api_id') is None):`
			`misperrors['error'] = 'CrowdStrike api_id is missing'`
			`return misperrors`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00
			`#validate attribute`
			`if not request.get('attribute') or not check_input_attribute(request['attribute']):`
			`return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}`
			`attribute = request.get('attribute')`
			`if not any(input_type == attribute.get('type') for input_type in misp_type_in):`
			`return {'error': 'Unsupported attribute type.'}`

added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`client = CSIntelAPI(request['config']['api_id'], request['config']['apikey'])`

[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`attribute = MISPAttribute()`
			`attribute.from_dict(**request.get('attribute') )`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`r = {"results": []}`
			`valid_type = False`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00
			`try:`
			`for k in misp_type_in:`
			`if attribute.type == k:`
			`# map the MISP type to the CrowdStrike type`
			`r['results'].append(lookup_indicator(client, attribute))`
			`valid_type = True`
			`except Exception as e:`
			`return {'error': f"{e}"}`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
			`if not valid_type:`
			`misperrors['error'] = "Unsupported attributes type"`
			`return misperrors`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`return {'results': r.get('results').pop()}`


			`def lookup_indicator(client, ref_attribute):`
			`result = client.search_indicator(ref_attribute.value)`
			`misp_event = MISPEvent()`
			`misp_event.add_attribute(**ref_attribute)`

			`for item in result.get('resources', []):`
			`for relation in item.get('relations'):`
			`if mapping_out.get(relation.get('type')):`
			`r = mapping_out[relation.get('type')].copy()`
			`r['value'] = relation.get('indicator')`
			`attribute = MISPAttribute()`
			`attribute.from_dict(**r)`
			`misp_event.add_attribute(**attribute)`
			`for actor in item.get('actors'):`
			`r = mapping_out.get('actors').copy()`
			`r['value'] = actor`
			`attribute = MISPAttribute()`
			`attribute.from_dict(**r)`
			`misp_event.add_attribute(**attribute)`
			`if item.get('malware_families'):`
			`r = mapping_out.get('malware_families').copy()`
			`r['value'] = f"malware_families: {' \| '.join(item.get('malware_families'))}"`
			`attribute = MISPAttribute()`
			`attribute.from_dict(**r)`
			`misp_event.add_attribute(**attribute)`

			`event = json.loads(misp_event.to_json())`
			`return {'Object': event.get('Object', []), 'Attribute': event.get('Attribute', [])}`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
			`def introspection():`
			`return mispattributes`


			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`


			`class CSIntelAPI():`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`def __init__(self, custid=None, custkey=None):`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`# customer id and key should be passed when obj is created`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`self.falcon = Intel(client_id=custid, client_secret=custkey)`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`def search_indicator(self, query):`
			`r = self.falcon.query_indicator_entities(q=query)`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`# 400 - bad request`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`if r.get('status_code') == 400:`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`raise Exception('HTTP Error 400 - Bad request.')`

			`# 404 - oh shit`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`if r.get('status_code') == 404:`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00			`raise Exception('HTTP Error 404 - awww snap.')`

			`# catch all?`
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`if r.get('status_code') != 200:`
			`raise Exception('HTTP Error: ' + str(r.get('status_code')))`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`if len(r.get('body').get('errors')):`
			`raise Exception('API Error: ' + ' \| '.join(r.get('body').get('errors')))`
added CrowdStrike Falcon Intel Indicators expansion module 2018-01-19 14:42:25 +01:00
[crowdstrike_falcon] Upgrade crowdstrike_falcon enrich module to new api version & add attribute creation on enrichment functionality 2022-01-11 13:59:59 +01:00			`return r.get('body', {})`