This script queries MISP for events with a particular tag, extracts supported attribute types and uploads them as indicators via the CrowdStrike QueryAPI. The script will tag the event and any supported attributes type in that event as "Uploaded to CrowdStrike".
This script uses pymisp and will only upload attributes that are marked with an IDS flag. Ensure that MISP Warning lists and the IDS flag is used correctly to avoid false positives.
When CrowdStrike gets a hit on an indicator it will generate a threat_intel alert and provide the MISP event ID in the alert description.
- ip-src
- ip-dst
- domain
- md5
- sha1
- sha256
python3 -p tags -s "Upload to CrowdStrike" -q
Recommend adding this command to a cronjob to poll MISP at a set interval.
- Working knowledge of PyMISP
- Working knowledge of CrowdStirke QueryAPI
- QueryAPI Credentials
- MISP keys.py file. See https://github.com/MISP/PyMISP/blob/master/examples/keys.py.sample
- Add support to delete indicators.
- Add command line parameter support to set expiry dates.
- PEP all the things.
- Migrate to CrowdStrike Python API.
- Add command line parameter support for tags.
Add multiple tags to an event or attribute with pymisp.
python3 - addtag.py -e 100 -t 1 2 3 4 5
- pymisp
- keys.py (see https://github.com/MISP/PyMISP/tree/master/examples)