|
1 | 1 | import json |
2 | 2 |
|
| 3 | +from datetime import datetime |
3 | 4 | from falconpy import Intel |
4 | 5 | from pymisp import MISPAttribute, MISPEvent |
5 | 6 |
|
6 | 7 | from . import check_input_attribute, standard_error_message |
7 | 8 |
|
8 | 9 | moduleinfo = { |
9 | | - "version": "0.2", |
| 10 | + "version": "0.3", |
10 | 11 | "author": "Christophe Vandeplas", |
11 | 12 | "description": "Module to query CrowdStrike Falcon.", |
12 | 13 | "module-type": ["expansion", "hover"], |
@@ -145,6 +146,75 @@ def lookup_indicator(client, ref_attribute): |
145 | 146 | attribute = MISPAttribute() |
146 | 147 | attribute.from_dict(**r) |
147 | 148 | misp_event.add_attribute(**attribute) |
| 149 | + for ip_type in item.get("ip_address_types", []): |
| 150 | + ip_type_attribute = { |
| 151 | + "type": "text", |
| 152 | + "category": "Other", |
| 153 | + "value": f"IP_Type: {ip_type}", |
| 154 | + "to_ids": False |
| 155 | + } |
| 156 | + attribute = MISPAttribute() |
| 157 | + attribute.from_dict(**ip_type_attribute) |
| 158 | + misp_event.add_attribute(**attribute) |
| 159 | + if item.get("malicious_confidence"): |
| 160 | + confidence_attribute = { |
| 161 | + "type": "text", |
| 162 | + "category": "Other", |
| 163 | + "value": f"Malicious_Confidence: {item.get('malicious_confidence')}", |
| 164 | + "to_ids": False |
| 165 | + } |
| 166 | + attribute = MISPAttribute() |
| 167 | + attribute.from_dict(**confidence_attribute) |
| 168 | + misp_event.add_attribute(**attribute) |
| 169 | + for label in item.get("labels", []): |
| 170 | + label_value = f"Label: {label.get('name')}" |
| 171 | + if label.get("created_on") and label.get("last_valid_on"): |
| 172 | + iso_created_on = datetime.utcfromtimestamp(label["created_on"]).isoformat() + "Z" |
| 173 | + iso_last_valid_on = datetime.utcfromtimestamp(label["last_valid_on"]).isoformat() + "Z" |
| 174 | + label_value += f" (created_on: {iso_created_on}, last_valid_on: {iso_last_valid_on})" |
| 175 | + label_attribute = { |
| 176 | + "type": "text", |
| 177 | + "category": "Other", |
| 178 | + "value": label_value, |
| 179 | + "to_ids": False, |
| 180 | + } |
| 181 | + attribute = MISPAttribute() |
| 182 | + attribute.from_dict(**label_attribute) |
| 183 | + misp_event.add_attribute(**attribute) |
| 184 | + if item.get("reports"): |
| 185 | + for report in item["reports"]: |
| 186 | + report_attribute = { |
| 187 | + "type": "text", |
| 188 | + "category": "Other", |
| 189 | + "value": f"Report: {report}", |
| 190 | + "to_ids": False, |
| 191 | + } |
| 192 | + attribute = MISPAttribute() |
| 193 | + attribute.from_dict(**report_attribute) |
| 194 | + misp_event.add_attribute(**attribute) |
| 195 | + if item.get("threat_types"): |
| 196 | + for threat in item["threat_types"]: |
| 197 | + threat_type_attribute = { |
| 198 | + "type": "text", |
| 199 | + "category": "Other", |
| 200 | + "value": f"Threat_Type: {threat}", |
| 201 | + "to_ids": False, |
| 202 | + } |
| 203 | + attribute = MISPAttribute() |
| 204 | + attribute.from_dict(**threat_type_attribute) |
| 205 | + misp_event.add_attribute(**attribute) |
| 206 | + if item.get("last_updated"): |
| 207 | + iso_last_updated = datetime.utcfromtimestamp(item["last_updated"]).isoformat() + "Z" |
| 208 | + last_updated_attribute = { |
| 209 | + "type": "datetime", |
| 210 | + "category": "Other", |
| 211 | + "value": iso_last_updated, |
| 212 | + "to_ids": False, |
| 213 | + } |
| 214 | + attribute = MISPAttribute() |
| 215 | + attribute.from_dict(**last_updated_attribute) |
| 216 | + misp_event.add_attribute(**attribute) |
| 217 | + |
148 | 218 |
|
149 | 219 | event = json.loads(misp_event.to_json()) |
150 | 220 | return {"Object": event.get("Object", []), "Attribute": event.get("Attribute", [])} |
|
0 commit comments