mirror of https://github.com/MISP/misp-modules
92 lines
2.4 KiB
Python
92 lines
2.4 KiB
Python
"""
|
|
Export module for converting MISP events into Endgame EQL queries
|
|
"""
|
|
import json
|
|
import logging
|
|
|
|
misperrors = {"error": "Error"}
|
|
|
|
moduleinfo = {
|
|
'version': '0.1',
|
|
'author': '92 COS DOM',
|
|
'description': 'EQL query generation for a MISP attribute.',
|
|
'module-type': ['expansion'],
|
|
'name': 'EQL Query Generator',
|
|
'logo': 'eql.png',
|
|
'requirements': [],
|
|
'features': 'This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute.',
|
|
'references': ['https://eql.readthedocs.io/en/latest/'],
|
|
'input': 'A filename or ip attribute.',
|
|
'output': 'Attribute containing EQL for a network or file attribute.',
|
|
}
|
|
|
|
# Map of MISP fields => Endgame fields
|
|
fieldmap = {
|
|
"ip-src": "source_address",
|
|
"ip-dst": "destination_address",
|
|
"filename": "file_name"
|
|
}
|
|
|
|
# Describe what events have what fields
|
|
event_types = {
|
|
"source_address": "network",
|
|
"destination_address": "network",
|
|
"file_name": "file"
|
|
}
|
|
|
|
# combine all the MISP fields from fieldmap into one big list
|
|
mispattributes = {
|
|
"input": list(fieldmap.keys())
|
|
}
|
|
|
|
|
|
def handler(q=False):
|
|
"""
|
|
Convert a MISP query into a CSV file matching the ThreatConnect Structured Import file format.
|
|
Input
|
|
q: Query dictionary
|
|
"""
|
|
if q is False or not q:
|
|
return False
|
|
|
|
# Check if we were given a configuration
|
|
request = json.loads(q)
|
|
config = request.get("config", {"Default_Source": ""})
|
|
logging.info("Setting config to: %s", config)
|
|
|
|
for supportedType in fieldmap.keys():
|
|
if request.get(supportedType):
|
|
attrType = supportedType
|
|
|
|
if attrType:
|
|
eqlType = fieldmap[attrType]
|
|
event_type = event_types[eqlType]
|
|
fullEql = "{} where {} == \"{}\"".format(event_type, eqlType, request[attrType])
|
|
else:
|
|
misperrors['error'] = "Unsupported attributes type"
|
|
return misperrors
|
|
|
|
response = []
|
|
response.append({'types': ['comment'], 'categories': ['External analysis'], 'values': fullEql, 'comment': "Event EQL queries"})
|
|
return {'results': response}
|
|
|
|
|
|
def introspection():
|
|
"""
|
|
Relay the supported attributes to MISP.
|
|
No Input
|
|
Output
|
|
Dictionary of supported MISP attributes
|
|
"""
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
"""
|
|
Relay module version and associated metadata to MISP.
|
|
No Input
|
|
Output
|
|
moduleinfo: metadata output containing all potential configuration values
|
|
"""
|
|
return moduleinfo
|