Added EQL enrichment module

misp_modules/modules/expansion/__init__.py

@@ -4,7 +4,7 @@ import sys
 sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
 
 __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
-           'countrycode', 'cve', 'cve_advanced', 'dns', 'btc_steroids', 'domaintools', 'eupi',
+           'countrycode', 'cve', 'cve_advanced', 'dns', 'btc_steroids', 'domaintools', 'eupi', 'eql',
            'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal',
            'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep',
            'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon',

misp_modules/modules/expansion/eql.py

@@ -0,0 +1,105 @@
+"""
+Export module for converting MISP events into Endgame EQL queries
+"""
+import base64
+import csv
+import io
+import json
+import logging
+
+misperrors = {"error": "Error"}
+
+moduleinfo = {
+    "version": "0.1",
+    "author": "92 COS DOM",
+    "description": "Generates EQL queries from events",
+    "module-type": ["expansion"]
+}
+
+# Map of MISP fields => ThreatConnect fields
+fieldmap = {
+#    "domain": "Host",
+#    "domain|ip": "Host|Address",
+#    "hostname": "hostname",
+    "ip-src": "source_address",
+    "ip-dst": "destination_address",
+#    "ip-src|port": "Address",
+#    "ip-dst|port": "Address",
+#    "url": "URL",
+    "filename": "file_name"
+}
+
+# Describe what events have what fields
+event_types = {
+    "source_address": "network",
+    "destination_address": "network",
+    "file_name": "file"
+}
+
+# combine all the MISP fields from fieldmap into one big list
+mispattributes = {
+    "input": list(fieldmap.keys())
+}
+
+
+def handler(q=False):
+    """
+    Convert a MISP query into a CSV file matching the ThreatConnect Structured Import file format.
+    Input
+        q: Query dictionary
+    """
+    if q is False or not q:
+        return False
+
+    # Check if we were given a configuration
+    request = json.loads(q)
+    config = request.get("config", {"Default_Source": ""})
+    logging.info("Setting config to: %s", config)
+
+    # start parsing MISP data
+    queryDict = {}
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute["type"] in mispattributes["input"]:
+                logging.debug("Adding %s to EQL query", attribute["value"])
+                event_type = event_types[fieldmap[attribute["type"]]]
+                if event_type not in queryDict.keys():
+                    queryDict[event_type] = {}
+                queryDict[event_type][attribute["value"]] = fieldmap[attribute["type"]]
+    
+    response = []
+    fullEql = ""
+    for query in queryDict.keys():
+        fullEql += "{} where\n".format(query)
+        for value in queryDict[query].keys():
+            fullEql += "\t{} == \"{}\"\n".format(queryDict[query][value], value)
+    response.append({'types': ['comment'], 'categories': ['External analysis'], 'values': fullEql, 'comment': "Event EQL queries"})
+    return {'results': response}
+
+
+def introspection():
+    """
+    Relay the supported attributes to MISP.
+    No Input
+    Output
+        Dictionary of supported MISP attributes
+    """
+#    modulesetup = {
+#        "responseType": "application/txt",
+#        "outputFileExtension": "txt",
+#        "userConfig": {},
+#        "inputSource": []
+#    }
+#    return modulesetup
+    return mispattributes
+
+
+def version():
+    """
+    Relay module version and associated metadata to MISP.
+    No Input
+    Output
+        moduleinfo: metadata output containing all potential configuration values
+    """
+    #moduleinfo["config"] = moduleconfig
+    return moduleinfo