https://github.com/crowdstrike/misp-tools - Version 0.8.0

Version 0.8.0

This update provides some much needed updates to the misp_import.py script: + Introduced new classes: ConfigHandler, ImportHandler, and Loggers to better organize the code + ConfigHandler + Moved configuration/galaxy parsing and handling into the ConfigHandler class + Consolidated import settings into a single dictionary in ConfigHandler + Simplified the proxy and extra headers configuration in ConfigHandler + ImportHandler
+ Created the ImportHandler class to manage the import/deletion process + Moved the retrieve_tags() function into the ImportHandler class + Moved perform_local_cleanup() function into the ImportHandler class + Loggers
+ Utilized a dataclass handler for the two log streams (main/splash)

• Simplified main: Utilized the new classes and helper functions to streamline the main function

  • Separated logging setup into its own function setup_logging()
  • Created a separate function to initialize the CrowdStrike API client create_intel_api_client()
  • Moved conditional argument checks into parse_command_line()

• Other

  • Removed some commented-out code and unused imports
  • Removed unused argument (-l, --logfile)
  • Relocated banner printing operations into their own functions

New Contributors

• @alhumaw made their first contribution in https://github.com/CrowdStrike/MISP-tools/pull/175

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.7.4...v0.8.0

- Python
Published by alhumaw almost 2 years ago

https://github.com/crowdstrike/misp-tools - Version 0.7.4

This update adds the SAIGA adversary branch and closes https://github.com/CrowdStrike/MISP-tools/issues/161.

- Python
Published by jshcodes about 2 years ago

https://github.com/crowdstrike/misp-tools - Version 0.7.3

This release updates the following:

• Moves galaxy malware family tag lookups to leverage an in-memory dataset created during application startup
• Adds the Sphinx adversary branch
• Resolves a lookup issue with Actor tags
• Adds / Updates repository health files

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.7.2...v0.7.3

- Python
Published by jshcodes over 2 years ago

https://github.com/crowdstrike/misp-tools - Version 0.7.2

• Moves duplicate handling to leverage the PyMISP native solution. Closes #129. Closes #67.
  • All indicator attributes have been moved to flat attributes as opposed to object attributes.
• Removes sightings integration.
• Aligns all adversary (actors) to the MISP Threat Actor galaxy. CrowdStrike only actors are created and imported to this galaxy as part of this process.
  • These actors are removed when performing a delete.
• Refactors taxonomic tagging to reduce the number of updates performed per attribute (indicator).
• Refines indicator type and malware family events and reduces the amount of time to import. Closes #118. Closes #102.
• Refines and expands Galaxy searches in an attempt to properly tag malware family indicators to the appropriate galaxy. Closes #134.
• Adds a new parameter to the configuration file to allow developers to limit the date range for Malware Family event lookups. Closes #136.

[!IMPORTANT] Due to taxonomic tagging changes, developers wanting to completely reimport data should remove all CrowdStrike data from their MISP instance (--obliterate or -ci -cr -ca) using the previous version before upgrading to the latest version and running a new import.

- Python
Published by jshcodes over 2 years ago

https://github.com/crowdstrike/misp-tools - Version 0.7.0

Version 0.7.0

This update provides the following new functionality:

• Maps CrowdStrike adversaries to the MISP Threat Actor galaxy. Existing adversaries are identified within the current galaxy, and new galaxy clusters are create for adversaries that are not present. These threat actors are removed as part of adversary delete operations.
• Maps target sectors to the MISP Sector galaxy.
• Maps target regions to the MISP Regions M49 galaxy.
• Maps target countries to the MISP Countries galaxy.
• Dramatically expands malware identification by looking up malware in additional MISP galaxies. The galaxy.ini file is still leveraged to override undesired matches by forcing a galaxy mapping.
• Resolves the publishing issue for Malware / Indicator type events. Closes #123.

What's Changed

• Bump crowdstrike-falconpy from 1.2.11 to 1.2.14 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/121
• Bump urllib3 from 1.26.14 to 1.26.15 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/105
• Bump pymisp from 2.4.168 to 2.4.170.1 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/122
• Version 0.7.0 - Expanded galaxy mappings by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/124

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.6.9...v0.7.0

- Python
Published by jshcodes about 3 years ago

https://github.com/crowdstrike/misp-tools - Version 0.6.9

What's Changed

• Version 0.6.9 by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/120
  • Adds PERSONA_NAME indicator type enumerator. Closes #112.
  • Resolves a tagging failure on the Known As object. Closes #111.
  • Restores custom indicator event tagging functionality. Closes #116.
  • Fixes boolean comparison issue resulting in sightings being tracked when disabled in the configuration file. Closes #101.
  • Adds custom HTTP headers to all API requests. Closes #119.
  • Adds proxy support for all API requests. Closes #14.

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.6.8...v0.6.9

- Python
Published by jshcodes about 3 years ago

https://github.com/crowdstrike/misp-tools - Version 0.6.8

What's Changed

• Bump urllib3 from 1.26.13 to 1.26.14 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/93
• Bump requests from 2.28.1 to 2.28.2 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/92
• Bump crowdstrike-falconpy from 1.2.8 to 1.2.9 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/90
• Bump crowdstrike-falconpy from 1.2.9 to 1.2.11 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/97
• Bump pymisp from 2.4.167 to 2.4.168 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/96
• Version 0.6.8 - Fix related adversary lookup error by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/99

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.6.7...v0.6.8

- Python
Published by jshcodes over 3 years ago

https://github.com/crowdstrike/misp-tools - Version 0.6.7

What's Changed

• Bump pymisp from 2.4.166 to 2.4.167 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/83
• Bump crowdstrike-falconpy from 1.2.6 to 1.2.8 by @dependabot in https://github.com/CrowdStrike/MISP-tools/pull/84
• Documentation updates by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/86
• Documentation updates by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/87
• Version 0.6.6 - Fixes by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/88
• Version 0.6.7 by @jshcodes in https://github.com/CrowdStrike/MISP-tools/pull/91

Functionality

• Import / Delete indicators by type
• no_hashes import functionality
• Correlation fix (Report indicators)
• Initial markdown report formatting
• Annotation object removed from reports (This may be restored)
• Big fixes

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.6.6...v0.6.7

- Python
Published by jshcodes over 3 years ago

https://github.com/crowdstrike/misp-tools - Version 0.6.6

What's Changed

• Adversary / Report dates are no longer showing the date of import as the event date. Relates to #70.
  • You can now import 20 years of adversary and report data.
• Faster delete handling (paginating MISP lookups). Relates to #70.
• Unnecessary correlations are disabled. Closes #80.
• Local tag cleanup. Relates to #79.
• Attribute tag verbosity control (-v argument). Closes #79.
• max-age argument now works as expected. Closes #70.
• Import or delete adversaries or reports of a specific type (new argument: -t or —type). Relates to #62.
  • Types can be mixed, Example: shell python3 misp_import.py -a -r -t csit,csa,spider,panda,bear
• Publish on create (Reports / Adversaries) with the -p argument. Relates to #39.

Full Changelog: https://github.com/CrowdStrike/MISP-tools/compare/v0.6.5...v0.6.6

- Python
Published by jshcodes over 3 years ago

https://github.com/crowdstrike/misp-tools - Version 0.6.5

This update resolves several null check issues and re-enables custom tagging for indicators.

Thanks to @cudeso and @ag-michael for their contributions!

- Python
Published by jshcodes over 3 years ago

https://github.com/crowdstrike/misp-tools - Version 0.6.4

This update implements the following changes:

• Indicators are now imported as attributes and attached to an event for that specific indicator type, and an event for that specific indicator's malware family. Closes #45.
• Duplicate indicators are marked as a new sighting when the timestamp is newer.
  • This includes indicators that are attributes to CrowdStrike Report events.
  • This functionality can be disabled by setting the log_duplicates_as_sightings configuration parameter to False.
• Custom tagging functionality is restored. Closes #42.
• Easier command line arguments have been implemented. Closes #59.
  • Two new arguments, --all (import all) and --obliterate (remove all) have been added.
• Additional threading has been implemented.
• Additional performance tuning options are now available within the configuration file.
  • Based upon the target MISP instance, these values can be used to tune import speed and size to address load concerns.
  • ind_attribute_batch_size - Controls the batch size before updates to the MISP server are performed. > This value cannot exceed api_request_max.
  • event_save_memory_refresh_interval - Maximum duration (in seconds) taken to save an event object before it is flushed from the memory cache and reloaded.
• Minor cleanup to the Actors process.
• Minor cleanup to the Reports process.

- Python
Published by jshcodes over 3 years ago