MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-modules/misp_modules/modules/export_mod/defender_endpoint_export.py

132 lines
4.2 KiB
Python
Executable File
Raw Permalink Blame History

"""
Export module for coverting MISP events into Defender for Endpoint KQL queries.
Config['Period'] : allows to define period over witch to look for IOC from now
"""
import base64
import json
misperrors = {"error": "Error"}
types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip-src', 'ip-dst', 'url']
userConfig = {
}
moduleconfig = ["Period"]
inputSource = ['event']
outputFileExtension = 'kql'
responseType = 'application/txt'
moduleinfo = {'version': '1.1', 'author': 'Julien Bachmann, Hacknowledge, Maik Wuerth',
'description': 'Defender for Endpoint KQL hunting query export module',
'module-type': ['export']}
def handle_sha256(value, period):
query = f"""find in (DeviceEvents, DeviceAlertEvents,AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
where (SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}') and
Timestamp between(ago({period}) .. now())"""
return query.replace('\n', ' ')
def handle_sha1(value, period):
query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
where (SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}') and
Timestamp between(ago({period}) .. now())"""
return query.replace('\n', ' ')
def handle_md5(value, period):
query = f"""find in (DeviceEvents, DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
where (MD5 == '{value}' or InitiatingProcessMD5 == '{value}') and
Timestamp between(ago({period}) .. now())"""
return query.replace('\n', ' ')
def handle_domain(value, period):
query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents)
where RemoteUrl contains '{value}' and
Timestamp between(ago({period}) .. now())"""
return query.replace('\n', ' ')
def handle_ip(value, period):
query = f"""find in (DeviceAlertEvents, AlertInfo, AlertEvidence, DeviceNetworkEvents)
where RemoteIP == '{value}' and
Timestamp between(ago({period}) .. now())"""
return query.replace('\n', ' ')
def handle_url(value, period):
query = f"""let url = '{value}';
search in (EmailUrlInfo,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,DeviceEvents,BehaviorEntities, AlertInfo, AlertEvidence, DeviceAlertEvents)
Timestamp between(ago({period}) .. now()) and
RemoteUrl has url
or FileOriginUrl has url
or FileOriginReferrerUrl has url
or Url has url"""
return query.replace('\n', ' ')
handlers = {
'sha256': handle_sha256,
'sha1': handle_sha1,
'md5': handle_md5,
'domain': handle_url,
'ip-src': handle_ip,
'ip-dst': handle_ip,
'url': handle_url
}
def handler(q=False):
if q is False:
return False
request = json.loads(q)
config = request.get("config", {"Period": ""})
output = ''
for event in request["data"]:
for attribute in event["Attribute"]:
if attribute['type'] in types_to_use:
output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
for obj in event["Object"]:
for attribute in obj["Attribute"]:
if attribute['type'] in types_to_use:
output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n'
r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
return r
def introspection():
modulesetup = {}
try:
responseType
modulesetup['responseType'] = responseType
except NameError:
pass
try:
userConfig
modulesetup['userConfig'] = userConfig
except NameError:
pass
try:
outputFileExtension
modulesetup['outputFileExtension'] = outputFileExtension
except NameError:
pass
try:
inputSource
modulesetup['inputSource'] = inputSource
except NameError:
pass
return modulesetup
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo
Reference in New Issue View Git Blame Copy Permalink