Changed to single attribute EQL

misp_modules/modules/expansion/eql.py

@@ -56,23 +56,19 @@ def handler(q=False):
     config = request.get("config", {"Default_Source": ""})
     logging.info("Setting config to: %s", config)
 
-    # start parsing MISP data
+    for supportedType in fieldmap.keys():
-    queryDict = {}
+        if request.get(supportedType):
-    for event in request["data"]:
+            attrType = supportedType
-        for attribute in event["Attribute"]:
+
-            if attribute["type"] in mispattributes["input"]:
+    if attrType:
-                logging.debug("Adding %s to EQL query", attribute["value"])
+        eqlType = fieldmap[attrType]
-                event_type = event_types[fieldmap[attribute["type"]]]
+        event_type = event_type[eqlType]
-                if event_type not in queryDict.keys():
+        fullEql = "{} where {} == \"{}\"".format(event_type, eqlType, request[attrType])
-                    queryDict[event_type] = {}
+    else:
-                queryDict[event_type][attribute["value"]] = fieldmap[attribute["type"]]
+        misperrors['error'] = "Unsupported attributes type"
-    
+        return misperrors
+
     response = []
-    fullEql = ""
-    for query in queryDict.keys():
-        fullEql += "{} where\n".format(query)
-        for value in queryDict[query].keys():
-            fullEql += "\t{} == \"{}\"\n".format(queryDict[query][value], value)
     response.append({'types': ['comment'], 'categories': ['External analysis'], 'values': fullEql, 'comment': "Event EQL queries"})
     return {'results': response}