Closed packet-rat closed 2 years ago
(venv) [rx118r@md2nj01di:~/src/crowdstrike/220812/MISP-tools-main]$ python3 misp_import.py --clean_indicators
[2022-08-13 16:21:51,210] (INFO)
'##::::'##:'####::'######::'########:::::'####:'##::::'##:'########:::'#######::'########::'########:
###::'###:. ##::'##... ##: ##.... ##::::. ##:: ###::'###: ##.... ##:'##.... ##: ##.... ##:... ##..::
####'####:: ##:: ##:::..:: ##:::: ##::::: ##:: ####'####: ##:::: ##: ##:::: ##: ##:::: ##:::: ##::::
## ### ##:: ##::. ######:: ########:::::: ##:: ## ### ##: ########:: ##:::: ##: ########::::: ##::::
##. #: ##:: ##:::..... ##: ##.....::::::: ##:: ##. #: ##: ##.....::: ##:::: ##: ##.. ##:::::: ##::::
##:.:: ##:: ##::'##::: ##: ##:::::::::::: ##:: ##:.:: ##: ##:::::::: ##:::: ##: ##::. ##::::: ##::::
##:::: ##:'####:. ######:: ##:::::::::::'####: ##:::: ##: ##::::::::. #######:: ##:::. ##:::: ##::::
..:::::..::....:::......:::..::::::::::::....::..:::::..::..::::::::::.......:::..:::::..:::::..:::::
_____
/ '
,-/-,__ __
(_/ (_)/ (_
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | Threat Intelligence
`-------' `-------'
[2022-08-13 16:21:51,863] (INFO)
______ _______ ______ _____ __ _ ______ _______ _______ _______ _______
|_____] |______ | ____ | | \ | | \ |______ | |______ | |______
|_____] |______ |_____| __|__ | \_| |_____/ |______ |_____ |______ | |______
[2022-08-13 16:21:51,863] (INFO) Start clean up CrowdStrike related events from MISP.
[2022-08-13 16:21:51,895] (INFO) Finished cleaning up CrowdStrike related events from MISP, 0 events deleted.
[2022-08-13 16:21:51,896] (INFO)
_______ _____ __ _ _____ _______ _ _ _______ ______
|______ | | \ | | |______ |_____| |______ | \
| __|__ | \_| __|__ ______| | | |______ |_____/
(venv) [rx118r@md2nj01di:~/src/crowdstrike/220812/MISP-tools-main]$ python3 misp_import.py --clean_actors
[2022-08-13 16:22:10,716] (INFO)
'##::::'##:'####::'######::'########:::::'####:'##::::'##:'########:::'#######::'########::'########:
###::'###:. ##::'##... ##: ##.... ##::::. ##:: ###::'###: ##.... ##:'##.... ##: ##.... ##:... ##..::
####'####:: ##:: ##:::..:: ##:::: ##::::: ##:: ####'####: ##:::: ##: ##:::: ##: ##:::: ##:::: ##::::
## ### ##:: ##::. ######:: ########:::::: ##:: ## ### ##: ########:: ##:::: ##: ########::::: ##::::
##. #: ##:: ##:::..... ##: ##.....::::::: ##:: ##. #: ##: ##.....::: ##:::: ##: ##.. ##:::::: ##::::
##:.:: ##:: ##::'##::: ##: ##:::::::::::: ##:: ##:.:: ##: ##:::::::: ##:::: ##: ##::. ##::::: ##::::
##:::: ##:'####:. ######:: ##:::::::::::'####: ##:::: ##: ##::::::::. #######:: ##:::. ##:::: ##::::
..:::::..::....:::......:::..::::::::::::....::..:::::..::..::::::::::.......:::..:::::..:::::..:::::
_____
/ '
,-/-,__ __
(_/ (_)/ (_
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | Threat Intelligence
`-------' `-------'
[2022-08-13 16:22:11,696] (INFO)
______ _______ ______ _____ __ _ ______ _______ _______ _______ _______
|_____] |______ | ____ | | \ | | \ |______ | |______ | |______
|_____] |______ |_____| __|__ | \_| |_____/ |______ |_____ |______ | |______
[2022-08-13 16:22:11,696] (INFO) Start clean up CrowdStrike related events from MISP.
[2022-08-13 16:22:11,729] (INFO) Finished cleaning up CrowdStrike related events from MISP, 0 events deleted.
[2022-08-13 16:22:11,729] (INFO)
_______ _____ __ _ _____ _______ _ _ _______ ______
|______ | | \ | | |______ |_____| |______ | \
| __|__ | \_| __|__ ______| | | |______ |_____/
(venv) [rx118r@md2nj01di:~/src/crowdstrike/220812/MISP-tools-main]$
Let me merge the version I'm working on right now, it has refined deletion logic. (Since local tags are used, you may have to manually delete any events without the correct tagging.)
Stand by.
Ok, grab the latest version and try an import / delete cycle again. You should see better tagging in all three event type, that should make searching easier. You should also be able to remove them by type (clean_adversary, clean_indicator, etc.).
Deletes are broken up a bit to try and reduce the query result sizes coming back from the MISP server.
There is also a --clean_tags
command line argument that will remove all CrowdStrike local tags from your instance. After you've cleaned up your instance and removed any dangling events, run this (only) and remove all the CrowdStrike tags. Also make sure to remove any .dat files from your directory.
Do not run
--clean_tags
until you have removed all CrowdStrike events from your MISP instance.
You should see the version number reflected in the banner now. (Currently v0.6.1.)
Function --clean_reports does not remove any reports
(1) Loaded 1,000 of Reports (2) Executed --clean_reports (3) No Reports deleted.
(venv) [rx118r@md2nj01di:~/src/crowdstrike/220812/MISP-tools-main]$ python3 misp_import.py --reports
(venv) [rx118r@md2nj01di:~/src/crowdstrike/220812/MISP-tools-main]$ python3 misp_import.py --clean_reports