From 6e2b38d9e0059ca917d9c95516c0f1de9cacce30 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 16 Nov 2018 15:11:48 +0100 Subject: [PATCH] add: Update to support domain|ip attributes - Also including separate parsing of each part of the composite domain|ip value --- misp_modules/modules/expansion/crowdstrike_falcon.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/crowdstrike_falcon.py b/misp_modules/modules/expansion/crowdstrike_falcon.py index 100fa2ae..472176c8 100755 --- a/misp_modules/modules/expansion/crowdstrike_falcon.py +++ b/misp_modules/modules/expansion/crowdstrike_falcon.py @@ -7,7 +7,7 @@ moduleinfo = {'version': '0.1', 'module-type': ['expansion']} moduleconfig = ['api_id', 'apikey'] misperrors = {'error': 'Error'} -misp_types_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject', +misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject', 'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5'] mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types. @@ -51,9 +51,12 @@ def handler(q=False): valid_type = False for k in misp_types_in: if request.get(k): - # map the MISP typ to the CrowdStrike type - for item in lookup_indicator(client, request[k]): - r['results'].append(item) + to_query = request[k] + if '|' in k: + to_query, query = to_query.split('|') + r['result'].extend([ item for item in lookup_indicator(client, query)]) + # map the MISP type to the CrowdStrike type + r['results'].extend([item for item in lookup_indicator(client, to_query)]) valid_type = True if not valid_type: