chg: [documentation] updated

pull/496/head
Alexandre Dulaunoy 2021-03-31 14:05:32 +02:00
parent a2282c4721
commit 51e6122c67
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 27 additions and 15 deletions

View File

@ -516,9 +516,6 @@ Module to access Farsight DNSDB Passive DNS.
>An API key is required to submit queries to the API.
> It is also possible to define a custom server URL, and to set a limit of results to get.
> This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit).
>
>Additionally to the lookup queries, responses from flex queries can be returned with the results.
>To get this additional data with the results, there is a `flex_queries` configuration parameter to set to `true`. The module submit then regex queries to the API, using the domain, hostname or IP address as keyword for the search. Passive-dns objects are returned next to the ones resulting from the lookup queries.
- **input**:
>A domain, hostname or IP address MISP attribute.
- **output**:
@ -527,7 +524,7 @@ Module to access Farsight DNSDB Passive DNS.
> - https://www.farsightsecurity.com/
> - https://docs.dnsdb.info/dnsdb-api/
- **requirements**:
>An access to the Farsight Passive DNS API (apikey), The dnsdb2 python library
>An access to the Farsight Passive DNS API (apikey)
-----
@ -611,17 +608,16 @@ Module to query a local copy of Maxmind's Geolite database.
Module to access GreyNoise.io API
- **features**:
>The module takes an IP address as input and queries GreyNoise for some additional information about it: basically it checks whether a given IP address is “Internet background noise”, or has been observed scanning or attacking devices across the Internet. The result is returned as text.
>The module takes an IP address as input and queries Greynoise for some additional information about it: basically it checks whether a given IP address is “Internet background noise”, or has been observed scanning or attacking devices across the Internet. The result is returned as text.
- **input**:
>An IP address.
- **output**:
>Additional information about the IP fetched from GreyNoise API.
>Additional information about the IP fetched from Greynoise API.
- **references**:
> - https://greynoise.io/
> - https://developer.greynoise.io/
> - https://github.com/GreyNoise-Intelligence/api.greynoise.io
- **requirements**:
> - A GreyNoise API key.
> - A GreyNoise API Type selection of "community" or "enterprise" based API key type
>A Greynoise API key.
-----
@ -1757,6 +1753,22 @@ Module to export malicious network activity attributes to Cisco fireSIGHT manage
-----
#### [defender_endpoint_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py)
<img src=logos/defender_endpoint.png height=60>
Defender for Endpoint KQL hunting query export module
- **features**:
>This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC.
- **input**:
>MISP Event attributes
- **output**:
>Defender for Endpoint KQL queries
- **references**:
>https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference
-----
#### [goamlexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py)
<img src=logos/goAML.jpg height=60>