From a6db0b163ffde17857a1e4d93c540091d9698d25 Mon Sep 17 00:00:00 2001 From: maikwuerth Date: Thu, 6 Jul 2023 16:18:46 +0200 Subject: [PATCH 1/2] add period to query and changed query for url and domain hunts --- .../export_mod/defender_endpoint_export.py | 39 ++++++++++++------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index cdab0bf..9921c7e 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -26,38 +26,48 @@ moduleinfo = {'version': '1.1', 'author': 'Julien Bachmann, Hacknowledge, Maik W def handle_sha256(value, period): - query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) - where SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}'""" + query = f"""find in (DeviceEvents, DeviceAlertEvents,AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where (SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}') and + Timestamp between(ago({period}) .. now())""" return query.replace('\n', ' ') def handle_sha1(value, period): - query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) - where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'""" + query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where (SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}') and + Timestamp between(ago({period}) .. now())""" return query.replace('\n', ' ') def handle_md5(value, period): - query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) - where MD5 == '{value}' or InitiatingProcessMD5 == '{value}'""" + query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where (MD5 == '{value}' or InitiatingProcessMD5 == '{value}') and + Timestamp between(ago({period}) .. now())""" return query.replace('\n', ' ') def handle_domain(value, period): - query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) - where RemoteUrl contains '{value}'""" + query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents) + where RemoteUrl contains '{value}' and + Timestamp between(ago({period}) .. now())""" return query.replace('\n', ' ') def handle_ip(value, period): - query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) - where RemoteIP == '{value}'""" + query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents) + where RemoteIP == '{value}' and + Timestamp between(ago({period}) .. now())""" return query.replace('\n', ' ') def handle_url(value, period): - query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) - where RemoteUrl startswith '{value}'""" + query = f"""let url = '{value}'; + search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities, AlertInfo, AlertEvidence, DeviceAlertEvents) + Timestamp between(ago({period}) .. now()) and + RemoteUrl has url + or FileOriginUrl has url + or FileOriginReferrerUrl has url + or Url has url""" return query.replace('\n', ' ') @@ -65,8 +75,9 @@ handlers = { 'sha256': handle_sha256, 'sha1': handle_sha1, 'md5': handle_md5, - 'domain': handle_domain, - 'ip': handle_ip, + 'domain': handle_url, + 'ip-src': handle_ip, + 'ip-dst': handle_ip, 'url': handle_url } From b074801b00bc23106d9e3f5d9470ab869e355351 Mon Sep 17 00:00:00 2001 From: maikwuerth Date: Fri, 7 Jul 2023 10:40:54 +0200 Subject: [PATCH 2/2] add ip-src and ip-dst to types_to_use --- misp_modules/modules/export_mod/defender_endpoint_export.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index 9921c7e..2a5d39a 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -8,7 +8,7 @@ import json misperrors = {"error": "Error"} -types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip', 'url'] +types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip-src', 'ip-dst', 'url'] userConfig = {