From c4d333f8b9c5c9d34cf2ae93682b8c9456f1f25c Mon Sep 17 00:00:00 2001 From: Braden Laverick Date: Thu, 31 Oct 2019 17:20:35 +0000 Subject: [PATCH 1/2] Updated README to include EQL modules --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 462e4c1..5cade1d 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [docx-enrich](misp_modules/modules/expansion/docx-enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser). * [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois. * [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en). +* [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/) * [Farsight DNSDB Passive DNS](misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [GeoIP](misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind. * [Greynoise](misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. @@ -86,6 +87,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [GoAML export](misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html). * [Lite Export](misp_modules/modules/export_mod/liteexport.py) module to export a lite event. * [PDF export](misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF. +* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query. * [Nexthink query format](misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format. * [osquery](misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format. * [ThreatConnect](misp_modules/modules/export_mod/threat_connect_export.py) module to export in ThreatConnect CSV format. From 26ab7f69e23c4fe707529d95267e6c4c5e963f17 Mon Sep 17 00:00:00 2001 From: Braden Laverick Date: Thu, 31 Oct 2019 17:28:07 +0000 Subject: [PATCH 2/2] Added documentation json for new modules --- doc/expansion/eql.json | 8 ++++++++ doc/export_mod/mass_eql_export.json | 8 ++++++++ docs/index.md | 2 ++ 3 files changed, 18 insertions(+) create mode 100644 doc/expansion/eql.json create mode 100644 doc/export_mod/mass_eql_export.json diff --git a/doc/expansion/eql.json b/doc/expansion/eql.json new file mode 100644 index 0000000..bc5e71f --- /dev/null +++ b/doc/expansion/eql.json @@ -0,0 +1,8 @@ +{ + "description": "EQL query generation for a MISP attribute.", + "requirements": [], + "features": "This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute.", + "references": [], + "input": "MISP Event attributes", + "output": "Event attribute containing EQL for a network or file attribute." + } \ No newline at end of file diff --git a/doc/export_mod/mass_eql_export.json b/doc/export_mod/mass_eql_export.json new file mode 100644 index 0000000..ae18938 --- /dev/null +++ b/doc/export_mod/mass_eql_export.json @@ -0,0 +1,8 @@ +{ + "description": "Mass EQL query export for a MISP event.", + "requirements": [], + "features": "This module produces EQL queries for all relevant attributes in a MISP event.", + "references": [], + "input": "MISP Event attributes", + "output": "Text file containing one or more EQL queries" + } \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index bb09e5a..1297a3b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -35,6 +35,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [docx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser). * [DomainTools](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois. * [EUPI](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en). +* [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/) * [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [GeoIP](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind. * [Greynoise](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. @@ -87,6 +88,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [Cisco FireSight Manager ACL rule](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) module to export as rule for the Cisco FireSight manager ACL. * [GoAML export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html). * [Lite Export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/liteexport.py) module to export a lite event. +* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query. * [PDF export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF. * [Nexthink query format](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format. * [osquery](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format.