search

CrowdStrike / MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
MIT License
39 stars 10 forks source link

Adversaries import fails with AttributeError: 'NoneType' object has no attribute 'add_tag' #117

Closed EnergyZealot2000 closed 1 year ago

EnergyZealot2000 commented 1 year ago

The Adversaries import process fails at the following step:

[2023-04-18 02:02:09,420] INFO     processor/main       Y  o  ||    \ |  |  | /  [_ |  D  )(   \_ Y  o  ||  D  ) |  T  /  [_(   \_
[2023-04-18 02:02:09,420] INFO     processor/main       |     ||  D  Y|  |  |Y    _]|    /  \__  T|     ||    /  |  | Y    _]\__  T
[2023-04-18 02:02:09,420] INFO     processor/main       |  _  ||     |l  :  !|   [_ |    \  /  \ ||  _  ||    \  |  | |   [_ /  \ |
[2023-04-18 02:02:09,420] INFO     processor/main       |  |  ||     | \   / |     T|  .  Y \    ||  |  ||  .  Y j  l |     T\    |
[2023-04-18 02:02:09,420] INFO     processor/main       l__j__jl_____j  \_/  l_____jl__j\_j  \___jl__j__jl__j\_j|____jl_____j \___j
[2023-04-18 02:02:09,420] INFO     processor/main
[2023-04-18 02:02:09,420] INFO     processor/main       Start importing CrowdStrike Adversaries as events into MISP (past 730 days).
[2023-04-18 02:02:09,421] INFO     processor/main       Retrieving all adversaries.
[2023-04-18 02:02:10,367] INFO     processor/main       Got 58 adversaries from the Crowdstrike Intel API.
[2023-04-18 02:02:11,705] WARNING  processor/thread_0   Adversary OCTANE PANDA missing field first_activity_date.
[2023-04-18 02:02:31,838] WARNING  pymisp/thread_0      The value of the attribute you're trying to add is an empty string, skipping it. Object relation: alias
[2023-04-18 02:02:34,544] WARNING  processor/thread_2   Adversary DEMON SPIDER missing field first_activity_date.
[2023-04-18 02:02:34,544] WARNING  processor/thread_2   Adversary DEMON SPIDER missing field last_activity_date.
[2023-04-18 02:02:35,773] WARNING  processor/thread_2   Could not add or tag event ADV-203346 DEMON SPIDER (eCrime). Will retry in 0.3 seconds.
day is out of range for month: 0

[2023-04-18 02:02:38,926] WARNING  processor/thread_1   Adversary INTREPID JACKAL missing field first_activity_date.
[2023-04-18 02:02:38,926] WARNING  processor/thread_1   Adversary INTREPID JACKAL missing field last_activity_date.
[2023-04-18 02:02:41,025] WARNING  processor/thread_2   Adversary VAMPIRE SPIDER missing field last_activity_date.
[2023-04-18 02:02:41,026] WARNING  pymisp/thread_2      The value of the attribute you're trying to add is an empty string, skipping it. Object relation: alias
[2023-04-18 02:02:43,649] WARNING  processor/thread_1   Could not add or tag event ADV-137920 INTREPID JACKAL (Hacktivist). Will retry in 0.3 seconds.
day is out of range for month: 0
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/misp/misp_import.py", line 377, in <module>
    main()
  File "/misp/misp_import.py", line 356, in main
    importer.import_from_crowdstrike(int(settings["CrowdStrike"]["init_reports_days_before"]),
  File "/misp/cs_misp_import/importer.py", line 303, in import_from_crowdstrike
    self.actors_importer.process_actors(actors_days_before, self.event_ids)
  File "/misp/cs_misp_import/actors.py", line 153, in process_actors
    if fut.result():
       ^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/concurrent/futures/_base.py", line 449, in result
    return self.__get_result()
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/concurrent/futures/_base.py", line 401, in __get_result
    raise self._exception
  File "/usr/local/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/misp/cs_misp_import/actors.py", line 66, in batch_import_actors
    event: MISPEvent = self.create_event_from_actor(act, act_det)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/misp/cs_misp_import/actors.py", line 372, in create_event_from_actor
    kao.add_tag(f"CrowdStrike:adversary:branch: {actor_branch}")
    ^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'add_tag'

I am running MISP-tools as a Docker container (v0.6.8).

jshcodes commented 1 year ago

Duplicates #111, will be addressed as part of current sprint.