2018-12-24 14:39:25 +01:00
|
|
|
"""
|
|
|
|
Export module for coverting MISP events into Nexthink NXQL queries.
|
|
|
|
Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py
|
2018-12-24 17:07:45 +01:00
|
|
|
Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation
|
2018-12-24 14:39:25 +01:00
|
|
|
"""
|
|
|
|
|
|
|
|
import base64
|
|
|
|
import json
|
|
|
|
|
|
|
|
misperrors = {"error": "Error"}
|
|
|
|
|
2018-12-24 17:07:45 +01:00
|
|
|
types_to_use = ['sha1', 'sha256', 'md5', 'domain']
|
2018-12-24 14:39:25 +01:00
|
|
|
|
|
|
|
userConfig = {
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
moduleconfig = ["Period"]
|
|
|
|
inputSource = ['event']
|
|
|
|
|
2018-12-24 17:07:45 +01:00
|
|
|
outputFileExtension = 'nxql'
|
2018-12-24 14:39:25 +01:00
|
|
|
responseType = 'application/txt'
|
|
|
|
|
|
|
|
moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',
|
|
|
|
'description': 'Nexthink NXQL query export module',
|
|
|
|
'module-type': ['export']}
|
|
|
|
|
2018-12-26 08:33:21 +01:00
|
|
|
|
2018-12-24 14:39:25 +01:00
|
|
|
def handle_sha1(value, period):
|
2018-12-24 16:40:31 +01:00
|
|
|
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
|
|
|
(from (binary user device execution)
|
|
|
|
(where binary (eq sha1 (sha1 %s)))
|
|
|
|
(between now-%s now))
|
|
|
|
(limit 1000)
|
2018-12-24 14:39:25 +01:00
|
|
|
''' % (value, period)
|
2018-12-24 16:40:31 +01:00
|
|
|
return query.replace('\n', ' ')
|
|
|
|
|
2018-12-24 17:32:47 +01:00
|
|
|
|
2018-12-24 17:07:45 +01:00
|
|
|
def handle_sha256(value, period):
|
|
|
|
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
|
|
|
(from (binary user device execution)
|
|
|
|
(where binary (eq sha256 (sha256 %s)))
|
|
|
|
(between now-%s now))
|
|
|
|
(limit 1000)
|
|
|
|
''' % (value, period)
|
|
|
|
return query.replace('\n', ' ')
|
|
|
|
|
2018-12-24 17:32:47 +01:00
|
|
|
|
2018-12-24 16:40:31 +01:00
|
|
|
def handle_md5(value, period):
|
|
|
|
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
|
|
|
(from (binary user device execution)
|
|
|
|
(where binary (eq hash (md5 %s)))
|
|
|
|
(between now-%s now))
|
|
|
|
(limit 1000)
|
|
|
|
''' % (value, period)
|
|
|
|
return query.replace('\n', ' ')
|
2018-12-24 14:39:25 +01:00
|
|
|
|
2018-12-24 17:32:47 +01:00
|
|
|
|
2018-12-24 17:07:45 +01:00
|
|
|
def handle_domain(value, period):
|
|
|
|
query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths)
|
|
|
|
(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic))
|
|
|
|
(from (web_request device user binary executable destination domain port)
|
|
|
|
(where domain (eq name(string %s)))
|
|
|
|
(between now-%s now))
|
|
|
|
(limit 1000)
|
|
|
|
''' % (value, period)
|
|
|
|
return query.replace('\n', ' ')
|
|
|
|
|
2018-12-24 17:32:47 +01:00
|
|
|
|
2018-12-24 14:39:25 +01:00
|
|
|
handlers = {
|
2018-12-24 16:40:31 +01:00
|
|
|
'sha1': handle_sha1,
|
2018-12-24 17:07:45 +01:00
|
|
|
'sha256': handle_sha256,
|
|
|
|
'md5': handle_md5,
|
|
|
|
'domain': handle_domain
|
2018-12-24 14:39:25 +01:00
|
|
|
}
|
|
|
|
|
2018-12-26 08:33:21 +01:00
|
|
|
|
2018-12-24 14:39:25 +01:00
|
|
|
def handler(q=False):
|
|
|
|
if q is False:
|
|
|
|
return False
|
|
|
|
r = {'results': []}
|
|
|
|
request = json.loads(q)
|
|
|
|
config = request.get("config", {"Period": ""})
|
|
|
|
output = ''
|
|
|
|
|
|
|
|
for event in request["data"]:
|
|
|
|
for attribute in event["Attribute"]:
|
|
|
|
if attribute['type'] in types_to_use:
|
|
|
|
output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
|
|
|
|
r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
|
|
|
|
return r
|
|
|
|
|
2018-12-24 17:32:47 +01:00
|
|
|
|
2018-12-24 14:39:25 +01:00
|
|
|
def introspection():
|
|
|
|
modulesetup = {}
|
|
|
|
try:
|
|
|
|
responseType
|
|
|
|
modulesetup['responseType'] = responseType
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
userConfig
|
|
|
|
modulesetup['userConfig'] = userConfig
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
outputFileExtension
|
|
|
|
modulesetup['outputFileExtension'] = outputFileExtension
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
inputSource
|
|
|
|
modulesetup['inputSource'] = inputSource
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
return modulesetup
|
|
|
|
|
2018-12-24 17:32:47 +01:00
|
|
|
|
2018-12-24 14:39:25 +01:00
|
|
|
def version():
|
|
|
|
moduleinfo['config'] = moduleconfig
|
|
|
|
return moduleinfo
|