diff --git a/README.md b/README.md index dbd7e77..44142c7 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois. * [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate EQL queries from attributes. * [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en). +* [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/) * [Farsight DNSDB Passive DNS](misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [GeoIP](misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind. * [Greynoise](misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. @@ -88,6 +89,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [GoAML export](misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html). * [Lite Export](misp_modules/modules/export_mod/liteexport.py) module to export a lite event. * [PDF export](misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF. +* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query. * [Nexthink query format](misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format. * [osquery](misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format. * [ThreatConnect](misp_modules/modules/export_mod/threat_connect_export.py) module to export in ThreatConnect CSV format. diff --git a/doc/expansion/eql.json b/doc/expansion/eql.json index d800ab6..1a32adf 100644 --- a/doc/expansion/eql.json +++ b/doc/expansion/eql.json @@ -1,9 +1,9 @@ { - "description": "Generates EQL queries from attributes", + "description": "EQL query generation for a MISP attribute.", "logo": "logos/eql.png", "requirements": [], "input": "A filename or ip attribute.", - "output": "The EQL query generated from the input attribute.", + "output": "Attribute containing EQL for a network or file attribute.", "references": ["https://eql.readthedocs.io/en/latest/"], - "features": "The module simply generates EQL rules out of the input attribute." + "features": "This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute." } diff --git a/doc/export_mod/mass_eql_export.json b/doc/export_mod/mass_eql_export.json new file mode 100644 index 0000000..ae18938 --- /dev/null +++ b/doc/export_mod/mass_eql_export.json @@ -0,0 +1,8 @@ +{ + "description": "Mass EQL query export for a MISP event.", + "requirements": [], + "features": "This module produces EQL queries for all relevant attributes in a MISP event.", + "references": [], + "input": "MISP Event attributes", + "output": "Text file containing one or more EQL queries" + } \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index bb09e5a..1297a3b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -35,6 +35,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [docx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser). * [DomainTools](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois. * [EUPI](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en). +* [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/) * [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [GeoIP](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind. * [Greynoise](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. @@ -87,6 +88,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [Cisco FireSight Manager ACL rule](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) module to export as rule for the Cisco FireSight manager ACL. * [GoAML export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html). * [Lite Export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/liteexport.py) module to export a lite event. +* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query. * [PDF export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF. * [Nexthink query format](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format. * [osquery](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format.