From 8cc4774be5623167efa14e0e6392b45bdb59df9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maik=20W=C3=BCrth?= Date: Fri, 10 Mar 2023 15:48:28 +0100 Subject: [PATCH 1/3] Export object attributes with Defender export module. --- .../modules/export_mod/defender_endpoint_export.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index 1c36efb..662f11d 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -8,7 +8,7 @@ import json misperrors = {"error": "Error"} -types_to_use = ['sha1', 'md5', 'domain', 'ip', 'url'] +types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip', 'url'] userConfig = { @@ -25,6 +25,12 @@ moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge', 'module-type': ['export']} +def handle_sha256(value, period): + query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}'""" + return query.replace('\n', ' ') + + def handle_sha1(value, period): query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'""" @@ -56,6 +62,7 @@ def handle_url(value, period): handlers = { + 'sha256': handle_sha256, 'sha1': handle_sha1, 'md5': handle_md5, 'domain': handle_domain, @@ -75,6 +82,10 @@ def handler(q=False): for attribute in event["Attribute"]: if attribute['type'] in types_to_use: output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' + for obj in event["Object"] + for attribute in obj["Attribute"]: + if attribute['type'] in types_to_use: + output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')} return r From db5e56c7b26c3e1280efd5ce1163a4b59a45f7e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maik=20W=C3=BCrth?= Date: Fri, 10 Mar 2023 16:08:49 +0100 Subject: [PATCH 2/3] Added support for SHA256 and MISPObject attributes to Defender export module. --- misp_modules/modules/export_mod/defender_endpoint_export.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index 662f11d..5f10770 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -82,7 +82,7 @@ def handler(q=False): for attribute in event["Attribute"]: if attribute['type'] in types_to_use: output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' - for obj in event["Object"] + for obj in event["Object"]: for attribute in obj["Attribute"]: if attribute['type'] in types_to_use: output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' From ff92b2c5ccaf303948e3017dfb112cd377247385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maik=20W=C3=BCrth?= Date: Fri, 10 Mar 2023 16:17:56 +0100 Subject: [PATCH 3/3] updated moduleInfo --- misp_modules/modules/export_mod/defender_endpoint_export.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index 5f10770..cdab0bf 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -20,7 +20,7 @@ inputSource = ['event'] outputFileExtension = 'kql' responseType = 'application/txt' -moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge', +moduleinfo = {'version': '1.1', 'author': 'Julien Bachmann, Hacknowledge, Maik Wuerth', 'description': 'Defender for Endpoint KQL hunting query export module', 'module-type': ['export']}