-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmisp2cs.py
120 lines (92 loc) · 3.49 KB
/
misp2cs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pymisp import PyMISP
from keys import misp_url, misp_key, misp_verifycert
import argparse
import os
import json
import csv
import pprint
import requests
from collections import OrderedDict
def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json')
def cs_type(type):
"""
Convert MISP attribute types to CS types
:param type: MISP type
:type type: string
:return: cs type
:rtype: str
TODO: add support for ipv6
"""
types = {
'ip-dst': 'ipv4',
'ip-src': 'ipv4'
}
if isinstance(type, dict):
print(type.keys())
return type
if type in types:
print('ipv4')
return types[type]
else:
return type
def search(m, quiet, url, controller, out=None, **kwargs):
event_list = []
uuid_list = []
result = m.search(controller, **kwargs)
headers = {
'Content-Type': 'application/json',
}
# Generate a list of MISP Event ID's and a list of UUID's
for e in result['response']:
event_list.append(e['Event']['id'])
uuid_list.append(e['Event']['uuid'])
# Iterate through the MISP Event UUID's and apply appropriate tags
for uuid in uuid_list:
misp.untag(uuid, "Upload to CrowdStrike")
misp.tag(uuid, "Uploaded to CrowdStrike")
# Iterate through event list and build a CSV table of events
for event in event_list:
x = misp.get_csv(eventid=event, context=['event_info','event_tag','event_threat_level_id'], misp_types=['ip-src', 'ip-dst', 'domain', 'md5', 'sha1', 'sha256'])
reader = csv.DictReader(x.split('\n'))
# Build CrowdStrike indicator
for row in reader:
data = {
"type": cs_type(row.get('type')),
"value": row.get('value'),
"policy": "detect",
"share_level": "red",
"expiration_days": 60,
"source": '{} {}'.format(
'MISP Event',
row.get('event_id')),
"description": row.get('event_info')
}
indicator = '{}{}{}'.format(
"[",
json.dumps(data),
"]"
)
# Post the indicator to the QueryAPI
response = requests.post('https://falconapi.crowdstrike.com/indicators/entities/iocs/v1', headers=headers, data=indicator, auth=('YOURQUERYAPIUSER', 'YOURQUERYAPISECRET'))
# Apply tag to MISP attribute to indicate it has been uploaded as IOC
misp.tag(row.get('uuid'), "Uploaded to CrowdStrike")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Get all the events matching a value for a given param.')
parser.add_argument("-p", "--param", required=True, help="Parameter to search (e.g. category, org, etc.)")
parser.add_argument("-s", "--search", required=True, help="String to search.")
parser.add_argument("-a", "--attributes", action='store_true', help="Search attributes instead of events")
parser.add_argument("-o", "--output", help="Output file")
args = parser.parse_args()
if args.output is not None and os.path.exists(args.output):
print('Output file already exists, abort.')
exit(0)
misp = init(misp_url, misp_key)
kwargs = {args.param: args.search}
if args.attributes:
controller='attributes'
else:
controller='events'
search(misp, misp_url, controller, args.output, **kwargs)