mirror of https://github.com/MISP/misp-modules
added domain attributes support
parent
537f9132f5
commit
b64c3e4bf4
|
@ -1,7 +1,7 @@
|
||||||
"""
|
"""
|
||||||
Export module for coverting MISP events into Nexthink NXQL queries.
|
Export module for coverting MISP events into Nexthink NXQL queries.
|
||||||
Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py
|
Source: https://github.com/HacknowledgeCH/misp-modules/blob/master/misp_modules/modules/export_mod/nexthinkexport.py
|
||||||
Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...)
|
Config['Period'] : allows to define period over witch to look for IOC from now (15m, 1d, 2w, 30d, ...), see Nexthink data model documentation
|
||||||
"""
|
"""
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
|
@ -10,7 +10,7 @@ import re
|
||||||
|
|
||||||
misperrors = {"error": "Error"}
|
misperrors = {"error": "Error"}
|
||||||
|
|
||||||
types_to_use = ['sha1', 'md5']
|
types_to_use = ['sha1', 'sha256', 'md5', 'domain']
|
||||||
|
|
||||||
userConfig = {
|
userConfig = {
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@ userConfig = {
|
||||||
moduleconfig = ["Period"]
|
moduleconfig = ["Period"]
|
||||||
inputSource = ['event']
|
inputSource = ['event']
|
||||||
|
|
||||||
outputFileExtension = 'conf'
|
outputFileExtension = 'nxql'
|
||||||
responseType = 'application/txt'
|
responseType = 'application/txt'
|
||||||
|
|
||||||
|
|
||||||
|
@ -27,7 +27,6 @@ moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',
|
||||||
'description': 'Nexthink NXQL query export module',
|
'description': 'Nexthink NXQL query export module',
|
||||||
'module-type': ['export']}
|
'module-type': ['export']}
|
||||||
|
|
||||||
|
|
||||||
def handle_sha1(value, period):
|
def handle_sha1(value, period):
|
||||||
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
||||||
(from (binary user device execution)
|
(from (binary user device execution)
|
||||||
|
@ -37,6 +36,15 @@ def handle_sha1(value, period):
|
||||||
''' % (value, period)
|
''' % (value, period)
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
def handle_sha256(value, period):
|
||||||
|
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
||||||
|
(from (binary user device execution)
|
||||||
|
(where binary (eq sha256 (sha256 %s)))
|
||||||
|
(between now-%s now))
|
||||||
|
(limit 1000)
|
||||||
|
''' % (value, period)
|
||||||
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
def handle_md5(value, period):
|
def handle_md5(value, period):
|
||||||
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
|
||||||
(from (binary user device execution)
|
(from (binary user device execution)
|
||||||
|
@ -46,9 +54,21 @@ def handle_md5(value, period):
|
||||||
''' % (value, period)
|
''' % (value, period)
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
def handle_domain(value, period):
|
||||||
|
query = '''select ((device name) (device (name last_ip_address)) (user name)(user department) (binary executable_name)(binary application_name)(binary description)(binary application_category)(binary (executable_name version)) (binary #"Suspicious binary")(binary first_seen)(binary last_seen)(binary threat_level)(binary hash) (binary paths)
|
||||||
|
(destination name)(domain name) (domain domain_category)(domain hosting_country)(domain protocol)(domain threat_level) (port port_number)(web_request incoming_traffic)(web_request outgoing_traffic))
|
||||||
|
(from (web_request device user binary executable destination domain port)
|
||||||
|
(where domain (eq name(string %s)))
|
||||||
|
(between now-%s now))
|
||||||
|
(limit 1000)
|
||||||
|
''' % (value, period)
|
||||||
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
handlers = {
|
handlers = {
|
||||||
'sha1': handle_sha1,
|
'sha1': handle_sha1,
|
||||||
'md5': handle_md5
|
'sha256': handle_sha256,
|
||||||
|
'md5': handle_md5,
|
||||||
|
'domain': handle_domain
|
||||||
}
|
}
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
|
|
Loading…
Reference in New Issue