MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add: Update to support domain|ip attributes 

- Also including separate parsing of each part of
  the composite domain|ip value
composite_attributes_proposal
chrisr3d 2018-11-16 15:11:48 +01:00
parent 839c8de0eb
commit 6e2b38d9e0
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
misp_modules/modules/expansion/crowdstrike_falcon.py
View File

@ -7,7 +7,7 @@ moduleinfo = {'version': '0.1',
'module-type': ['expansion']}
moduleconfig = ['api_id', 'apikey']
misperrors = {'error': 'Error'}
misp_types_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',
'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
@ -51,9 +51,12 @@ def handler(q=False):
valid_type = False
for k in misp_types_in:
if request.get(k):
# map the MISP typ to the CrowdStrike type
for item in lookup_indicator(client, request[k]):
r['results'].append(item)
to_query = request[k]
if '|' in k:
to_query, query = to_query.split('|')
r['result'].extend([ item for item in lookup_indicator(client, query)])
# map the MISP type to the CrowdStrike type
r['results'].extend([item for item in lookup_indicator(client, to_query)])
valid_type = True
if not valid_type: