search

CrowdStrike / MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
MIT License
39 stars 10 forks source link

Indicator Ingestion Loops Indefinitely #113

Closed packet-rat closed 1 year ago

packet-rat commented 1 year ago

Loops indefinitely (every hour) after ingesting Indicators

Command:

python3 misp_import.py -f -nb -d -v -p -i

The following Hash shows the hourly repeat cycle

sudo grep -i 308648c0db  /var/log/messages > crowdstrike-ioc-loop.log
(.ohm) [rx118r@md2nj02ap:~]$ more crowdstrike-ioc-loop.log 
Apr  9 10:54:31 172.30.0.4 docker: md2nj02ap misp-dev3[18458]: add -- Attribute (513760240) from Event (2016952): Payload delivery/sha256 308648c0dbd0ceeceadcdfdfd9e5be68e004eeab286d910b3af3cac81b292f4b -- Attribute "308648c0dbd0ceeceadcdfdfd9e5be68e004
eeab286d910b3af3cac81b292f4b" (513760240) added by User "api.crowdstrike@local.net" (238).
Apr  9 11:34:01 172.30.0.4 docker: md2nj02ap misp-dev3[12922]: edit -- Attribute (513760240) from Event (2016952): Payload delivery/sha256 308648c0dbd0ceeceadcdfdfd9e5be68e004eeab286d910b3af3cac81b292f4b -- Attribute "308648c0dbd0ceeceadcdfdfd9e5be68e00
4eeab286d910b3af3cac81b292f4b" (513760240) updated by User "api.crowdstrike@local.net" (238).
Apr  9 12:32:16 172.30.0.4 docker: md2nj02ap misp-dev3[5952]: edit -- Attribute (513760240) from Event (2016952): Payload delivery/sha256 308648c0dbd0ceeceadcdfdfd9e5be68e004eeab286d910b3af3cac81b292f4b -- Attribute "308648c0dbd0ceeceadcdfdfd9e5be68e004
eeab286d910b3af3cac81b292f4b" (513760240) updated by User "api.crowdstrike@local.net" (238).

Snipped Log


python3 misp_import.py -f -nb -d -v -p -i
[2023-04-08 18:43:13,699] INFO     misp_tools    MISP Import for CrowdStrike Threat Intelligence v0.6.8
[2023-04-08 18:43:13,699] INFO     config  CHECK CONFIG
[2023-04-08 18:43:13,700] DEBUG    config  client_id                                   value redacted, check config file
[2023-04-08 18:43:13,700] DEBUG    config  client_secret                               value redacted, check config file
[2023-04-08 18:43:13,700] DEBUG    config  crowdstrike_url                             US1
[2023-04-08 18:43:13,700] DEBUG    config  api_request_max                             5000
[2023-04-08 18:43:13,700] DEBUG    config  api_enable_ssl                              True
[2023-04-08 18:43:13,700] DEBUG    config  reports_timestamp_filename                  lastReportsUpdate.dat
[2023-04-08 18:43:13,700] DEBUG    config  indicators_timestamp_filename               lastIndicatorsUpdate.dat
[2023-04-08 18:43:13,700] DEBUG    config  actors_timestamp_filename                   lastActorsUpdate.dat
[2023-04-08 18:43:13,700] DEBUG    config  init_reports_days_before                    365
[2023-04-08 18:43:13,700] DEBUG    config  init_indicators_minutes_before              20220
[2023-04-08 18:43:13,700] DEBUG    config  init_actors_days_before                     730
[2023-04-08 18:43:13,700] DEBUG    config  reports_unique_tag                          CrowdStrike: REPORT
[2023-04-08 18:43:13,700] DEBUG    config  indicators_unique_tag                       CrowdStrike: INDICATOR
[2023-04-08 18:43:13,700] DEBUG    config  actors_unique_tag                           CrowdStrike: ACTOR
[2023-04-08 18:43:13,700] DEBUG    config  reports_tags                                att:source="Crowdstrike.Report"
[2023-04-08 18:43:13,700] DEBUG    config  indicators_tags                             att:source="Crowdstrike.Indicators"
[2023-04-08 18:43:13,700] DEBUG    config  actors_tags                                 att:source="Crowdstrike.Actors"
[2023-04-08 18:43:13,700] DEBUG    config  unknown_mapping                             CrowdStrike:indicator:galaxy: UNATTRIBUTED
[2023-04-08 18:43:13,700] DEBUG    config  unattributed_title                          CrowdStrike Unattributed indicators:
[2023-04-08 18:43:13,700] DEBUG    config  indicator_type_title                        Indicator Type:
[2023-04-08 18:43:13,700] DEBUG    config  malware_family_title                        Malware Family:
[2023-04-08 18:43:13,700] DEBUG    config  log_duplicates_as_sightings                 True
[2023-04-08 18:43:13,700] DEBUG    config  misp_url                                    https://3samisp
[2023-04-08 18:43:13,700] DEBUG    config  misp_auth_key                               value redacted, check config file
[2023-04-08 18:43:13,700] DEBUG    config  crowdstrike_org_uuid                        ca4f4b5d-db04-4a5e-a6de-e60636dc01be
[2023-04-08 18:43:13,700] DEBUG    config  misp_enable_ssl                             False
[2023-04-08 18:43:13,700] WARNING  config  misp_enable_ssl                             SSL is disabled for MISP API requests
[2023-04-08 18:43:13,701] DEBUG    config  ind_attribute_batch_size                    2500
[2023-04-08 18:43:13,701] DEBUG    config  event_save_memory_refresh_interval          180
[2023-04-08 18:43:13,701] DEBUG    config  max_threads                                 16
[2023-04-08 18:43:13,701] DEBUG    config  miss_track_file                             no_galaxy_mapping.log
[2023-04-08 18:43:13,701] DEBUG    config  galaxies_map_file                           galaxy.ini
[2023-04-08 18:43:13,701] DEBUG    config  tag_unknown_galaxy_maps                     True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_kill-chain                        True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_information-security-data-source  True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_type                              True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_iep                               False
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_iep2                              True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_iep2_version                      False
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_tlp                               True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_workflow                          True
[2023-04-08 18:43:14,200] INFO     config  No configuration errors found (1 warning)
[2023-04-08 18:43:14,200] INFO     config  
[2023-04-08 18:43:14,200] INFO     config  ____ _  _ ____ ____ _  _ ____    ___  ____ ____ ____ ____ ___
[2023-04-08 18:43:14,200] INFO     config  |    |__| |___ |    |_/  [__     |__] |__| [__  [__  |___ |  \
[2023-04-08 18:43:14,200] INFO     config  |___ |  | |___ |___ | \_ ___]    |    |  | ___] ___] |___ |__/
[2023-04-08 18:43:14,200] INFO     config  
[2023-04-08 18:43:15,171] INFO     processor/main       BEGIN INDICATORS IMPORT
[2023-04-08 18:43:15,171] INFO     processor/main       Retrieving lookup data for import of CrowdStrike indicators into MISP.
[2023-04-08 18:43:15,477] INFO     processor/main       Adding 24 CrowdStrike indicator type events to MISP.
[2023-04-08 18:43:15,498] INFO     processor/main       Retrieved 0 CrowdStrike indicator malware family events from MISP.
[2023-04-08 18:43:15,559] INFO     processor/thread_9   Retrieved 15 coin_address indicators from MISP.
[2023-04-08 18:43:15,561] INFO     processor/thread_13  Retrieved 50 device_name indicators from MISP.
[2023-04-08 18:43:15,601] INFO     processor/thread_13  Retrieved 29 service_name indicators from MISP.
[2023-04-08 18:43:15,608] INFO     processor/thread_12  Retrieved 495 registry indicators from MISP.
[2023-04-08 18:43:15,670] INFO     processor/thread_8   Retrieved 309 bitcoin_address indicators from MISP.
[2023-04-08 18:43:15,927] INFO     processor/thread_7   Retrieved 3,922 mutex_name indicators from MISP.
[2023-04-08 18:43:15,994] INFO     processor/thread_12  Retrieved 449 port indicators from MISP.
[2023-04-08 18:43:16,043] INFO     processor/thread_3   Retrieved 1,770 hash_imphash indicators from MISP.
[2023-04-08 18:43:38,543] INFO     processor/thread_15  Retrieved 254 campaign_id indicators from MISP.
[2023-04-08 18:43:40,720] INFO     processor/thread_13  Retrieved 90,336 user_agent indicators from MISP.
[2023-04-08 18:43:50,679] INFO     processor/thread_5   Retrieved 201,177 file_path indicators from MISP.
[2023-04-08 18:43:54,259] INFO     processor/thread_4   Retrieved 201,177 file_name indicators from MISP.
[2023-04-08 18:44:01,788] INFO     processor/thread_2   Retrieved 412,962 hash_sha1 indicators from MISP.
[2023-04-08 18:44:11,313] INFO     processor/thread_10  Retrieved 69,724 email_address indicators from MISP.
[2023-04-08 18:46:12,074] INFO     processor/thread_14  Retrieved 1,612,502 domain indicators from MISP.
[2023-04-08 18:46:50,764] INFO     processor/thread_11  Retrieved 815,731 email_subject indicators from MISP.
[2023-04-08 18:50:00,881] INFO     processor/thread_1   Retrieved 2,934,089 hash_sha256 indicators from MISP.
[2023-04-08 18:52:23,975] INFO     processor/thread_0   Retrieved 3,477,861 hash_md5 indicators from MISP.
[2023-04-08 18:56:45,404] INFO     processor/thread_9   Retrieved 4,795,407 ip_address indicators from MISP.
[2023-04-08 19:26:34,611] INFO     processor/thread_6   Retrieved 16,710,078 url indicators from MISP.
[2023-04-08 19:26:57,388] INFO     processor/main       Found 0 pre-existing indicators within CrowdStrike reports.
[2023-04-08 19:27:18,498] INFO     processor/main       Starting import of CrowdStrike indicators into MISP.
[2023-04-08 19:27:39,189] INFO     processor/main       Retrieved 5,000 of 2,789,355 remaining indicators.
[2023-04-08 19:27:39,190] DEBUG    processor/main       Configuration states we should process batches of 2,500 indicators.
[2023-04-08 19:27:39,190] INFO     processor/main       Processing batch of 2,500 indicators.
[2023-04-08 19:27:39,191] DEBUG    processor/thread_0   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,191] DEBUG    processor/thread_0   Start creation of malware family event object
[2023-04-08 19:27:39,192] DEBUG    processor/thread_0   Complete initial malware family object creation
[2023-04-08 19:27:39,192] DEBUG    processor/thread_0   Successfully created malware family event for CobaltStrike
[2023-04-08 19:27:39,281] DEBUG    processor/thread_1   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,281] DEBUG    processor/thread_1   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_2   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_2   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_3   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_3   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_4   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_4   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_5   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_5   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_6   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_6   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_7   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_7   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_8   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_8   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_9   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_9   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_10  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_10  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_11  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_11  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_12  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_12  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_13  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_13  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,287] DEBUG    processor/thread_14  Malware Family identified: Emotet
[2023-04-08 19:27:39,287] DEBUG    processor/thread_14  Start creation of malware family event object
[2023-04-08 19:27:39,288] DEBUG    processor/thread_14  Complete initial malware family object creation
[2023-04-08 19:27:39,288] DEBUG    processor/thread_14  Successfully created malware family event for Emotet
[2023-04-08 19:27:39,382] DEBUG    processor/thread_15  Malware Family identified: Emotet
[2023-04-08 19:27:39,382] DEBUG    processor/thread_15  Found existing malware family event for Emotet
[2023-04-08 19:27:39,382] DEBUG    processor/thread_0   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_1   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_0   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,383] DEBUG    processor/thread_2   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_2   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,383] DEBUG    processor/thread_1   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,383] DEBUG    processor/thread_4   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_0   Tagged threat COMMODITY
[2023-04-08 19:27:39,383] DEBUG    processor/thread_5   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_3   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_7   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_2   Tagged threat COMMODITY
[2023-04-08 19:27:39,384] DEBUG    processor/thread_8   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_9   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_1   Tagged threat COMMODITY
[2023-04-08 19:27:39,384] DEBUG    processor/thread_10  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_11  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,386] DEBUG    processor/thread_11  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,384] DEBUG    processor/thread_4   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,384] DEBUG    processor/thread_12  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_13  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_5   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_14  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_15  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_3   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_6   Malware Family identified: Emotet
[2023-04-08 19:27:39,385] DEBUG    processor/thread_7   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_2   Tagged threat CRIMINAL
[2023-04-08 19:27:39,385] DEBUG    processor/thread_8   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_9   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_1   Tagged threat CRIMINAL
[2023-04-08 19:27:39,385] DEBUG    processor/thread_10  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,384] DEBUG    processor/thread_0   Tagged threat CRIMINAL
[2023-04-08 19:27:39,386] DEBUG    processor/thread_11  Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_4   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_12  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,386] DEBUG    processor/thread_13  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,386] DEBUG    processor/thread_5   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_14  Tagged malware EMOTET
[2023-04-08 19:27:39,386] DEBUG    processor/thread_15  Tagged malware EMOTET
[2023-04-08 19:27:39,386] DEBUG    processor/thread_3   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_6   Found existing malware family event for Emotet
[2023-04-08 19:27:39,386] DEBUG    processor/thread_7   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_2   Tagged threat RAT
[2023-04-08 19:27:39,387] DEBUG    processor/thread_8   Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_9   Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_1   Tagged threat RAT
[2023-04-08 19:27:39,387] DEBUG    processor/thread_10  Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_0   Tagged threat RAT
[2023-04-08 19:27:39,387] DEBUG    processor/thread_11  Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_4   Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_12  Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_13  Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_5   Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_14  Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_15  Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_3   Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_6   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,388] DEBUG    processor/thread_7   Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_2   Added 47f3a99ed0aaa1b269f14888f3c8e5de032a0840b822d4574e95db68d3811688 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,388] DEBUG    processor/thread_8   Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_9   Tagged threat CRIMINAL
[2023-04-08 19:27:39,389] DEBUG    processor/thread_1   Added 36bb3d9152a14b9912b714714ada5a22 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,389] DEBUG    processor/thread_10  Tagged threat CRIMINAL
[2023-04-08 19:27:39,389] DEBUG    processor/thread_0   Added 5fd1a44bfdc904a775cfa81748f4aaad38036e3d indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,389] DEBUG    processor/thread_11  Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_4   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_12  Tagged threat CRIMINAL
[2023-04-08 19:27:39,390] DEBUG    processor/thread_13  Tagged threat CRIMINAL
[2023-04-08 19:27:39,390] DEBUG    processor/thread_5   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_14  Tagged threat DOWNLOADER
[2023-04-08 19:27:39,390] DEBUG    processor/thread_15  Tagged threat DOWNLOADER
[2023-04-08 19:27:39,390] DEBUG    processor/thread_3   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_6   Tagged malware EMOTET
[2023-04-08 19:27:39,390] DEBUG    processor/thread_7   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_2   Updated Malware Family: CobaltStrike event threat level to HIGH
[2023-04-08 19:27:39,390] DEBUG    processor/thread_8   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_9   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_10  Tagged threat RAT
[2023-04-08 19:27:39,391] DEBUG    processor/thread_12  Tagged threat RAT
[2023-04-08 19:27:39,391] DEBUG    processor/thread_13  Tagged threat RAT
[2023-04-08 19:27:39,393] DEBUG    processor/thread_6   Tagged threat CRIMINAL
[2023-04-08 19:27:39,394] DEBUG    processor/thread_11  Added 94f764473f2946521f4050be6f2d35b5 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_12  Added 89612615ce912b66a0394497efc5ee8cb6c49a25 indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,394] DEBUG    processor/thread_5   Added 5cbeb0a6c5a10eada07b4e9555b1bd3d indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_14  Added 46d8f2195fb9e7d6fc0423422cd2f6e3 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_15  Added 1ca44f66a74a642426ee371f65964ee062abb9b77a83f7ce33cbdf99982ebe54 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_3   Added 3be7535aaad8e5deb0a7b0ce21a4c5e3a2f3701e86c30b4b3846cdda25fa4feb indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_7   Added e98ee554b026f21b6aefd9c0018d618a254f378e91d12ee2169eec1198fd2124 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_2   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,396] DEBUG    processor/thread_1   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,396] DEBUG    processor/thread_0   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,396] DEBUG    processor/thread_8   Added d9a61afbaf06e316abd49511f01ad2b83b970ea4 indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_6   Tagged threat DOWNLOADER
[2023-04-08 19:27:39,396] DEBUG    processor/thread_9   Added 360379b4abb8cffb2f75ede5f8e06df5 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_10  Added https://soguo.quest/multiply/archives/555EDYREXV indicators to event Indicator Type: Web addresses
[2023-04-08 19:27:39,394] DEBUG    processor/thread_4   Added a287f05c4f62ac867ad28239a41a474a1bb846a4 indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_13  Added b1722602adda0e01ad1629d538152a3f1ed22f40b04d67276d1ce140e7253381 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,397] DEBUG    processor/thread_11  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_12  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_5   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_14  Updated Malware Family: Emotet event threat level to HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_2   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,398] DEBUG    processor/thread_1   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,398] DEBUG    processor/thread_0   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,398] DEBUG    processor/thread_11  Tagged malware COBALTSTRIKE
python3 misp_import.py -f -nb -d -v -p -i
[2023-04-08 18:43:13,699] INFO     misp_tools    MISP Import for CrowdStrike Threat Intelligence v0.6.8
[2023-04-08 18:43:13,699] INFO     config  CHECK CONFIG
[2023-04-08 18:43:13,700] DEBUG    config  client_id                                   value redacted, check config file
[2023-04-08 18:43:13,700] DEBUG    config  client_secret                               value redacted, check config file
[2023-04-08 18:43:13,700] DEBUG    config  crowdstrike_url                             US1
[2023-04-08 18:43:13,700] DEBUG    config  api_request_max                             5000
[2023-04-08 18:43:13,700] DEBUG    config  api_enable_ssl                              True
[2023-04-08 18:43:13,700] DEBUG    config  reports_timestamp_filename                  lastReportsUpdate.dat
[2023-04-08 18:43:13,700] DEBUG    config  indicators_timestamp_filename               lastIndicatorsUpdate.dat
[2023-04-08 18:43:13,700] DEBUG    config  actors_timestamp_filename                   lastActorsUpdate.dat
[2023-04-08 18:43:13,700] DEBUG    config  init_reports_days_before                    365
[2023-04-08 18:43:13,700] DEBUG    config  init_indicators_minutes_before              20220
[2023-04-08 18:43:13,700] DEBUG    config  init_actors_days_before                     730
[2023-04-08 18:43:13,700] DEBUG    config  reports_unique_tag                          CrowdStrike: REPORT
[2023-04-08 18:43:13,700] DEBUG    config  indicators_unique_tag                       CrowdStrike: INDICATOR
[2023-04-08 18:43:13,700] DEBUG    config  actors_unique_tag                           CrowdStrike: ACTOR
[2023-04-08 18:43:13,700] DEBUG    config  reports_tags                                att:source="Crowdstrike.Report"
[2023-04-08 18:43:13,700] DEBUG    config  indicators_tags                             att:source="Crowdstrike.Indicators"
[2023-04-08 18:43:13,700] DEBUG    config  actors_tags                                 att:source="Crowdstrike.Actors"
[2023-04-08 18:43:13,700] DEBUG    config  unknown_mapping                             CrowdStrike:indicator:galaxy: UNATTRIBUTED
[2023-04-08 18:43:13,700] DEBUG    config  unattributed_title                          CrowdStrike Unattributed indicators:
[2023-04-08 18:43:13,700] DEBUG    config  indicator_type_title                        Indicator Type:
[2023-04-08 18:43:13,700] DEBUG    config  malware_family_title                        Malware Family:
[2023-04-08 18:43:13,700] DEBUG    config  log_duplicates_as_sightings                 True
[2023-04-08 18:43:13,700] DEBUG    config  misp_url                                    https://3samisp
[2023-04-08 18:43:13,700] DEBUG    config  misp_auth_key                               value redacted, check config file
[2023-04-08 18:43:13,700] DEBUG    config  crowdstrike_org_uuid                        ca4f4b5d-db04-4a5e-a6de-e60636dc01be
[2023-04-08 18:43:13,700] DEBUG    config  misp_enable_ssl                             False
[2023-04-08 18:43:13,700] WARNING  config  misp_enable_ssl                             SSL is disabled for MISP API requests
[2023-04-08 18:43:13,701] DEBUG    config  ind_attribute_batch_size                    2500
[2023-04-08 18:43:13,701] DEBUG    config  event_save_memory_refresh_interval          180
[2023-04-08 18:43:13,701] DEBUG    config  max_threads                                 16
[2023-04-08 18:43:13,701] DEBUG    config  miss_track_file                             no_galaxy_mapping.log
[2023-04-08 18:43:13,701] DEBUG    config  galaxies_map_file                           galaxy.ini
[2023-04-08 18:43:13,701] DEBUG    config  tag_unknown_galaxy_maps                     True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_kill-chain                        True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_information-security-data-source  True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_type                              True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_iep                               False
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_iep2                              True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_iep2_version                      False
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_tlp                               True
[2023-04-08 18:43:13,701] DEBUG    config  taxonomic_workflow                          True
[2023-04-08 18:43:14,200] INFO     config  No configuration errors found (1 warning)
[2023-04-08 18:43:14,200] INFO     config  
[2023-04-08 18:43:14,200] INFO     config  ____ _  _ ____ ____ _  _ ____    ___  ____ ____ ____ ____ ___
[2023-04-08 18:43:14,200] INFO     config  |    |__| |___ |    |_/  [__     |__] |__| [__  [__  |___ |  \
[2023-04-08 18:43:14,200] INFO     config  |___ |  | |___ |___ | \_ ___]    |    |  | ___] ___] |___ |__/
[2023-04-08 18:43:14,200] INFO     config  
[2023-04-08 18:43:15,171] INFO     processor/main       BEGIN INDICATORS IMPORT
[2023-04-08 18:43:15,171] INFO     processor/main       Retrieving lookup data for import of CrowdStrike indicators into MISP.
[2023-04-08 18:43:15,477] INFO     processor/main       Adding 24 CrowdStrike indicator type events to MISP.
[2023-04-08 18:43:15,498] INFO     processor/main       Retrieved 0 CrowdStrike indicator malware family events from MISP.
[2023-04-08 18:43:15,559] INFO     processor/thread_9   Retrieved 15 coin_address indicators from MISP.
[2023-04-08 18:43:15,561] INFO     processor/thread_13  Retrieved 50 device_name indicators from MISP.
[2023-04-08 18:43:15,601] INFO     processor/thread_13  Retrieved 29 service_name indicators from MISP.
[2023-04-08 18:43:15,608] INFO     processor/thread_12  Retrieved 495 registry indicators from MISP.
[2023-04-08 18:43:15,670] INFO     processor/thread_8   Retrieved 309 bitcoin_address indicators from MISP.
[2023-04-08 18:43:15,927] INFO     processor/thread_7   Retrieved 3,922 mutex_name indicators from MISP.
[2023-04-08 18:43:15,994] INFO     processor/thread_12  Retrieved 449 port indicators from MISP.
[2023-04-08 18:43:16,043] INFO     processor/thread_3   Retrieved 1,770 hash_imphash indicators from MISP.
[2023-04-08 18:43:38,543] INFO     processor/thread_15  Retrieved 254 campaign_id indicators from MISP.
[2023-04-08 18:43:40,720] INFO     processor/thread_13  Retrieved 90,336 user_agent indicators from MISP.
[2023-04-08 18:43:50,679] INFO     processor/thread_5   Retrieved 201,177 file_path indicators from MISP.
[2023-04-08 18:43:54,259] INFO     processor/thread_4   Retrieved 201,177 file_name indicators from MISP.
[2023-04-08 18:44:01,788] INFO     processor/thread_2   Retrieved 412,962 hash_sha1 indicators from MISP.
[2023-04-08 18:44:11,313] INFO     processor/thread_10  Retrieved 69,724 email_address indicators from MISP.
[2023-04-08 18:46:12,074] INFO     processor/thread_14  Retrieved 1,612,502 domain indicators from MISP.
[2023-04-08 18:46:50,764] INFO     processor/thread_11  Retrieved 815,731 email_subject indicators from MISP.
[2023-04-08 18:50:00,881] INFO     processor/thread_1   Retrieved 2,934,089 hash_sha256 indicators from MISP.
[2023-04-08 18:52:23,975] INFO     processor/thread_0   Retrieved 3,477,861 hash_md5 indicators from MISP.
[2023-04-08 18:56:45,404] INFO     processor/thread_9   Retrieved 4,795,407 ip_address indicators from MISP.
[2023-04-08 19:26:34,611] INFO     processor/thread_6   Retrieved 16,710,078 url indicators from MISP.
[2023-04-08 19:26:57,388] INFO     processor/main       Found 0 pre-existing indicators within CrowdStrike reports.
[2023-04-08 19:27:18,498] INFO     processor/main       Starting import of CrowdStrike indicators into MISP.
[2023-04-08 19:27:39,189] INFO     processor/main       Retrieved 5,000 of 2,789,355 remaining indicators.
[2023-04-08 19:27:39,190] DEBUG    processor/main       Configuration states we should process batches of 2,500 indicators.
[2023-04-08 19:27:39,190] INFO     processor/main       Processing batch of 2,500 indicators.
[2023-04-08 19:27:39,191] DEBUG    processor/thread_0   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,191] DEBUG    processor/thread_0   Start creation of malware family event object
[2023-04-08 19:27:39,192] DEBUG    processor/thread_0   Complete initial malware family object creation
[2023-04-08 19:27:39,192] DEBUG    processor/thread_0   Successfully created malware family event for CobaltStrike
[2023-04-08 19:27:39,281] DEBUG    processor/thread_1   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,281] DEBUG    processor/thread_1   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_2   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_2   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_3   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,282] DEBUG    processor/thread_3   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_4   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_4   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_5   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,283] DEBUG    processor/thread_5   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_6   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_6   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_7   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_7   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_8   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_8   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,284] DEBUG    processor/thread_9   Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_9   Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_10  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_10  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_11  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,285] DEBUG    processor/thread_11  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_12  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_12  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_13  Malware Family identified: CobaltStrike
[2023-04-08 19:27:39,286] DEBUG    processor/thread_13  Found existing malware family event for CobaltStrike
[2023-04-08 19:27:39,287] DEBUG    processor/thread_14  Malware Family identified: Emotet
[2023-04-08 19:27:39,287] DEBUG    processor/thread_14  Start creation of malware family event object
[2023-04-08 19:27:39,288] DEBUG    processor/thread_14  Complete initial malware family object creation
[2023-04-08 19:27:39,288] DEBUG    processor/thread_14  Successfully created malware family event for Emotet
[2023-04-08 19:27:39,382] DEBUG    processor/thread_15  Malware Family identified: Emotet
[2023-04-08 19:27:39,382] DEBUG    processor/thread_15  Found existing malware family event for Emotet
[2023-04-08 19:27:39,382] DEBUG    processor/thread_0   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_1   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_0   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,383] DEBUG    processor/thread_2   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_2   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,383] DEBUG    processor/thread_1   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,383] DEBUG    processor/thread_4   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_0   Tagged threat COMMODITY
[2023-04-08 19:27:39,383] DEBUG    processor/thread_5   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,383] DEBUG    processor/thread_3   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_7   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_2   Tagged threat COMMODITY
[2023-04-08 19:27:39,384] DEBUG    processor/thread_8   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_9   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_1   Tagged threat COMMODITY
[2023-04-08 19:27:39,384] DEBUG    processor/thread_10  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,384] DEBUG    processor/thread_11  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,386] DEBUG    processor/thread_11  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,384] DEBUG    processor/thread_4   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,384] DEBUG    processor/thread_12  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_13  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_5   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_14  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_15  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,385] DEBUG    processor/thread_3   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_6   Malware Family identified: Emotet
[2023-04-08 19:27:39,385] DEBUG    processor/thread_7   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_2   Tagged threat CRIMINAL
[2023-04-08 19:27:39,385] DEBUG    processor/thread_8   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_9   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,385] DEBUG    processor/thread_1   Tagged threat CRIMINAL
[2023-04-08 19:27:39,385] DEBUG    processor/thread_10  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,384] DEBUG    processor/thread_0   Tagged threat CRIMINAL
[2023-04-08 19:27:39,386] DEBUG    processor/thread_11  Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_4   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_12  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,386] DEBUG    processor/thread_13  Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,386] DEBUG    processor/thread_5   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_14  Tagged malware EMOTET
[2023-04-08 19:27:39,386] DEBUG    processor/thread_15  Tagged malware EMOTET
[2023-04-08 19:27:39,386] DEBUG    processor/thread_3   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_6   Found existing malware family event for Emotet
[2023-04-08 19:27:39,386] DEBUG    processor/thread_7   Tagged threat COMMODITY
[2023-04-08 19:27:39,386] DEBUG    processor/thread_2   Tagged threat RAT
[2023-04-08 19:27:39,387] DEBUG    processor/thread_8   Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_9   Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_1   Tagged threat RAT
[2023-04-08 19:27:39,387] DEBUG    processor/thread_10  Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_0   Tagged threat RAT
[2023-04-08 19:27:39,387] DEBUG    processor/thread_11  Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_4   Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_12  Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_13  Tagged threat COMMODITY
[2023-04-08 19:27:39,387] DEBUG    processor/thread_5   Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_14  Tagged threat CRIMINAL
[2023-04-08 19:27:39,387] DEBUG    processor/thread_15  Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_3   Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_6   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,388] DEBUG    processor/thread_7   Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_2   Added 47f3a99ed0aaa1b269f14888f3c8e5de032a0840b822d4574e95db68d3811688 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,388] DEBUG    processor/thread_8   Tagged threat CRIMINAL
[2023-04-08 19:27:39,388] DEBUG    processor/thread_9   Tagged threat CRIMINAL
[2023-04-08 19:27:39,389] DEBUG    processor/thread_1   Added 36bb3d9152a14b9912b714714ada5a22 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,389] DEBUG    processor/thread_10  Tagged threat CRIMINAL
[2023-04-08 19:27:39,389] DEBUG    processor/thread_0   Added 5fd1a44bfdc904a775cfa81748f4aaad38036e3d indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,389] DEBUG    processor/thread_11  Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_4   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_12  Tagged threat CRIMINAL
[2023-04-08 19:27:39,390] DEBUG    processor/thread_13  Tagged threat CRIMINAL
[2023-04-08 19:27:39,390] DEBUG    processor/thread_5   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_14  Tagged threat DOWNLOADER
[2023-04-08 19:27:39,390] DEBUG    processor/thread_15  Tagged threat DOWNLOADER
[2023-04-08 19:27:39,390] DEBUG    processor/thread_3   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_6   Tagged malware EMOTET
[2023-04-08 19:27:39,390] DEBUG    processor/thread_7   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_2   Updated Malware Family: CobaltStrike event threat level to HIGH
[2023-04-08 19:27:39,390] DEBUG    processor/thread_8   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_9   Tagged threat RAT
[2023-04-08 19:27:39,390] DEBUG    processor/thread_10  Tagged threat RAT
[2023-04-08 19:27:39,391] DEBUG    processor/thread_12  Tagged threat RAT
[2023-04-08 19:27:39,391] DEBUG    processor/thread_13  Tagged threat RAT
[2023-04-08 19:27:39,393] DEBUG    processor/thread_6   Tagged threat CRIMINAL
[2023-04-08 19:27:39,394] DEBUG    processor/thread_11  Added 94f764473f2946521f4050be6f2d35b5 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_12  Added 89612615ce912b66a0394497efc5ee8cb6c49a25 indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,394] DEBUG    processor/thread_5   Added 5cbeb0a6c5a10eada07b4e9555b1bd3d indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_14  Added 46d8f2195fb9e7d6fc0423422cd2f6e3 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_15  Added 1ca44f66a74a642426ee371f65964ee062abb9b77a83f7ce33cbdf99982ebe54 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_3   Added 3be7535aaad8e5deb0a7b0ce21a4c5e3a2f3701e86c30b4b3846cdda25fa4feb indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,395] DEBUG    processor/thread_7   Added e98ee554b026f21b6aefd9c0018d618a254f378e91d12ee2169eec1198fd2124 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_2   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,396] DEBUG    processor/thread_1   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,396] DEBUG    processor/thread_0   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,396] DEBUG    processor/thread_8   Added d9a61afbaf06e316abd49511f01ad2b83b970ea4 indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_6   Tagged threat DOWNLOADER
[2023-04-08 19:27:39,396] DEBUG    processor/thread_9   Added 360379b4abb8cffb2f75ede5f8e06df5 indicators to event Indicator Type: MD5 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_10  Added https://soguo.quest/multiply/archives/555EDYREXV indicators to event Indicator Type: Web addresses
[2023-04-08 19:27:39,394] DEBUG    processor/thread_4   Added a287f05c4f62ac867ad28239a41a474a1bb846a4 indicators to event Indicator Type: SHA1 hashes
[2023-04-08 19:27:39,396] DEBUG    processor/thread_13  Added b1722602adda0e01ad1629d538152a3f1ed22f40b04d67276d1ce140e7253381 indicators to event Indicator Type: SHA256 hashes
[2023-04-08 19:27:39,397] DEBUG    processor/thread_11  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_12  Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_5   Tagged malicious-confidence HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_14  Updated Malware Family: Emotet event threat level to HIGH
[2023-04-08 19:27:39,397] DEBUG    processor/thread_2   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,398] DEBUG    processor/thread_1   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,398] DEBUG    processor/thread_0   Tagged malware COBALTSTRIKE
[2023-04-08 19:27:39,398] DEBUG    processor/thread_11  Tagged malware COBALTSTRIKE
##### Continues for 23+ Hours ``` [2023-04-09 13:30:55,429] DEBUG processor/thread_10 Added 4e97d128b5e06ea4cda3cdef1bbe0c28 indicators to event Indicator Type: MD5 hashes [2023-04-09 13:30:55,456] DEBUG processor/thread_12 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:55,522] DEBUG processor/thread_3 Tagged threat DOWNLOADER [2023-04-09 13:30:55,605] DEBUG processor/thread_5 Tagged mitre-attck PERSISTENCE [2023-04-09 13:30:55,656] DEBUG processor/thread_6 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:55,687] DEBUG processor/thread_0 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:55,744] DEBUG processor/thread_1 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:55,852] DEBUG processor/thread_15 Tagged mitre-attck PRIVILEGEESCALATION [2023-04-09 13:30:55,888] DEBUG processor/thread_8 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:55,919] DEBUG processor/thread_11 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:55,955] DEBUG processor/thread_13 Tagged mitre-attck PERSISTENCE [2023-04-09 13:30:55,981] DEBUG processor/thread_9 Tagged mitre-attck INITIALACCESS [2023-04-09 13:30:56,063] DEBUG processor/thread_10 Tagged malicious-confidence HIGH [2023-04-09 13:30:56,084] DEBUG processor/thread_12 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:57,001] DEBUG processor/thread_12 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:56,197] DEBUG processor/thread_6 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:56,290] DEBUG processor/thread_0 Tagged mitre-attck DEFENSEEVASION [2023-04-09 13:30:56,383] DEBUG processor/thread_1 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:56,486] DEBUG processor/thread_15 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:56,580] DEBUG processor/thread_8 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:56,714] DEBUG processor/thread_11 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:56,817] DEBUG processor/thread_13 Tagged mitre-attck PERSISTENCE [2023-04-09 13:30:56,889] DEBUG processor/thread_9 Tagged mitre-attck LATERALMOVEMENT [2023-04-09 13:30:56,971] DEBUG processor/thread_10 Tagged malware SALITYV4 [2023-04-09 13:30:56,182] DEBUG processor/thread_5 Tagged mitre-attck PERSISTENCE [2023-04-09 13:30:57,001] DEBUG processor/thread_12 Tagged mitre-attck RESOURCEDEVELOPMENT [2023-04-09 13:30:57,084] DEBUG processor/thread_6 Tagged threat BOTNET [2023-04-09 13:30:57,768] DEBUG processor/thread_6 Tagged threat COMMODITY [2023-04-09 13:30:57,773] DEBUG processor/thread_6 Tagged threat CRIMINAL [2023-04-09 13:30:57,779] DEBUG processor/thread_6 Tagged threat DOWNLOADER [2023-04-09 13:30:57,367] DEBUG processor/thread_8 Tagged mitre-attck COMMANDANDCONTROL [2023-04-09 13:30:57,475] DEBUG processor/thread_11 Tagged mitre-attck COMMANDANDCONTROL ^CError in atexit._run_exitfuncs: Traceback (most recent call last): File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/thread.py", line 40, in _python_exit [2023-04-09 13:30:57,527] DEBUG processor/thread_13 Tagged mitre-attck PERSISTENCE t.join() File "/opt/rh/rh-python38/root/usr/lib64/python3.8/threading.py", line 1011, in join [2023-04-09 13:30:57,619] DEBUG processor/thread_9 Tagged mitre-attck PERSISTENCE ^C File "/opt/rh/rh-python38/root/usr/lib64/python3.8/threading.py", line 1027, in _wait_for_tstate_lock [2023-04-09 13:30:57,657] DEBUG processor/thread_4 Added 85f8fd4e4b1d701e431a4dfb0145e856 indicators to event Malware Family: Salityv4 [2023-04-09 13:30:57,686] DEBUG processor/thread_10 Tagged mitre-attck COMMANDANDCONTROL ^CKeyboardInterrupt ```
packet-rat commented 1 year ago

FYSA - Still running several days later...

image
jshcodes commented 1 year ago

Something's definitely not right here. Might have to kill that process and try to restart at a newer timestamp. (I'm working on recreating this.)

packet-rat commented 1 year ago

The “Indicator” ingestion has been behaving like this forever.

jshcodes commented 1 year ago

Caused by requested data segment size.

StressedOutMouse commented 5 months ago

May I asked what the ideal configuration is, that alleviate this issue? I'm coming across the same thing. I believe my pull request is minimal however, it is also a matter of having lower technical specifications. With only 16GBs of RAM, I am working with currently, large volumes of data being pulled will cause the connect to break or the job gets killed due to memory exhaustion

[2024-04-05 13:38:38,814] DEBUG    config  client_id                                   value redacted, check config file
[2024-04-05 13:38:38,814] DEBUG    config  client_secret                               value redacted, check config file
[2024-04-05 13:38:38,814] DEBUG    config  crowdstrike_url                             auto
[2024-04-05 13:38:38,814] DEBUG    config  api_request_max                             2500
[2024-04-05 13:38:38,814] DEBUG    config  api_enable_ssl                              True
[2024-04-05 13:38:38,815] DEBUG    config  reports_timestamp_filename                  lastReportsUpdate.dat
[2024-04-05 13:38:38,815] DEBUG    config  indicators_timestamp_filename               lastIndicatorsUpdate.dat
[2024-04-05 13:38:38,815] DEBUG    config  actors_timestamp_filename                   lastActorsUpdate.dat
[2024-04-05 13:38:38,815] DEBUG    config  init_reports_days_before                    1
[2024-04-05 13:38:38,815] DEBUG    config  init_indicators_minutes_before              60
[2024-04-05 13:38:38,815] DEBUG    config  init_actors_days_before                     1
[2024-04-05 13:38:38,815] DEBUG    config  reports_tags                                value not specified
[2024-04-05 13:38:38,815] DEBUG    config  indicators_tags                             value not specified
[2024-04-05 13:38:38,816] DEBUG    config  actors_tags                                 value not specified
[2024-04-05 13:38:38,816] DEBUG    config  unknown_mapping                             CrowdStrike:indicator:galaxy: UNATTRIBUTED
[2024-04-05 13:38:38,816] DEBUG    config  unattributed_title                          Unattributed indicators:
[2024-04-05 13:38:38,816] DEBUG    config  indicator_type_title                        Indicator Type:
[2024-04-05 13:38:38,816] DEBUG    config  malware_family_title                        Malware Family:
[2024-04-05 13:38:38,816] DEBUG    config  misp_url                                    [REDACTED]
[2024-04-05 13:38:38,816] DEBUG    config  misp_auth_key                               value redacted, check config file
[2024-04-05 13:38:38,816] DEBUG    config  crowdstrike_org_uuid                        [REDACTED]
[2024-04-05 13:38:38,817] DEBUG    config  miss_track_file                             no_galaxy_mapping.log
[2024-04-05 13:38:38,817] DEBUG    config  galaxies_map_file                           galaxy.ini
[2024-04-05 13:38:38,817] DEBUG    config  misp_enable_ssl                             False
[2024-04-05 13:38:38,817] WARNING  config  misp_enable_ssl                             SSL is disabled for MISP API requests
[2024-04-05 13:38:38,817] DEBUG    config  misp_malware_family_range                   7d
[2024-04-05 13:38:38,817] DEBUG    config  ind_attribute_batch_size                    50
[2024-04-05 13:38:38,817] DEBUG    config  event_save_memory_refresh_interval          180
[2024-04-05 13:38:38,818] DEBUG    config  max_threads                                 10
[2024-04-05 13:38:38,818] DEBUG    config  tag_unknown_galaxy_maps                     True
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_kill-chain                        True
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_information-security-data-source  True
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_type                              True
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_iep                               False
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_iep2                              True
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_iep2_version                      False
[2024-04-05 13:38:38,818] DEBUG    config  taxonomic_tlp                               True
[2024-04-05 13:38:38,819] DEBUG    config  taxonomic_workflow                          True