From b64c3e4bf4f2af06257cf196388429d3db959034 Mon Sep 17 00:00:00 2001 From: milkmix Date: Mon, 24 Dec 2018 17:07:45 +0100 Subject: [PATCH] added domain attributes support --- .../modules/export_mod/nexthinkexport.py | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/misp_modules/modules/export_mod/nexthinkexport.py b/misp_modules/modules/export_mod/nexthinkexport.py index ee05923..eaa2f7a 100755 --- a/misp_modules/modules/export_mod/nexthinkexport.py +++ b/misp_modules/modules/export_mod/nexthinkexport.py @@ -1,7 +1,7 @@ """ Export module for coverting MISP events into Nexthink NXQL queries. Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py -Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...) +Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation """ import base64 @@ -10,7 +10,7 @@ import re misperrors = {"error": "Error"} -types_to_use = ['sha1', 'md5'] +types_to_use = ['sha1', 'sha256', 'md5', 'domain'] userConfig = { @@ -19,7 +19,7 @@ userConfig = { moduleconfig = ["Period"] inputSource = ['event'] -outputFileExtension = 'conf' +outputFileExtension = 'nxql' responseType = 'application/txt' @@ -27,7 +27,6 @@ moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge', 'description': 'Nexthink NXQL query export module', 'module-type': ['export']} - def handle_sha1(value, period): query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time))) (from (binary user device execution) @@ -37,6 +36,15 @@ def handle_sha1(value, period): ''' % (value, period) return query.replace('\n', ' ') +def handle_sha256(value, period): + query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time))) +(from (binary user device execution) +(where binary (eq sha256 (sha256 %s))) +(between now-%s now)) +(limit 1000) + ''' % (value, period) + return query.replace('\n', ' ') + def handle_md5(value, period): query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time))) (from (binary user device execution) @@ -46,9 +54,21 @@ def handle_md5(value, period): ''' % (value, period) return query.replace('\n', ' ') +def handle_domain(value, period): + query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths) +(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic)) +(from (web_request device user binary executable destination domain port) +(where domain (eq name(string %s))) +(between now-%s now)) +(limit 1000) + ''' % (value, period) + return query.replace('\n', ' ') + handlers = { 'sha1': handle_sha1, - 'md5': handle_md5 + 'sha256': handle_sha256, + 'md5': handle_md5, + 'domain': handle_domain } def handler(q=False):