search

CrowdStrike / MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
MIT License
41 stars 10 forks source link

ver_0.6.2 KeyError: 'TAGGING' #37

Closed packet-rat closed 2 years ago

packet-rat commented 2 years ago

All prior Events (Actors, Reports, Indicators) deleted.

(venv):~/src/crowdstrike/220815/MISP-tools-ver_0.6.2]$ python3 misp_import.py --actors

[2022-08-15 21:04:41,839] (INFO) 
'##::::'##:'####::'######::'########:::::'####:'##::::'##:'########:::'#######::'########::'########:
 ###::'###:. ##::'##... ##: ##.... ##::::. ##:: ###::'###: ##.... ##:'##.... ##: ##.... ##:... ##..::
 ####'####:: ##:: ##:::..:: ##:::: ##::::: ##:: ####'####: ##:::: ##: ##:::: ##: ##:::: ##:::: ##::::
 ## ### ##:: ##::. ######:: ########:::::: ##:: ## ### ##: ########:: ##:::: ##: ########::::: ##::::
 ##. #: ##:: ##:::..... ##: ##.....::::::: ##:: ##. #: ##: ##.....::: ##:::: ##: ##.. ##:::::: ##::::
 ##:.:: ##:: ##::'##::: ##: ##:::::::::::: ##:: ##:.:: ##: ##:::::::: ##:::: ##: ##::. ##::::: ##::::
 ##:::: ##:'####:. ######:: ##:::::::::::'####: ##:::: ##: ##::::::::. #######:: ##:::. ##:::: ##::::
..:::::..::....:::......:::..::::::::::::....::..:::::..::..::::::::::.......:::..:::::..:::::..:::::
                      _____
                       /  '
                    ,-/-,__ __
                   (_/  (_)/ (_
                               _______                        __ _______ __        __ __
                              |   _   .----.-----.--.--.--.--|  |   _   |  |_.----|__|  |--.-----.
                              |.  1___|   _|  _  |  |  |  |  _  |   1___|   _|   _|  |    <|  -__|
                              |.  |___|__| |_____|________|_____|____   |____|__| |__|__|__|_____|
                              |:  1   |                         |:  1   |
                              |::.. . |                         |::.. . |  Threat Intelligence v0.6.2
                              `-------'                         `-------'

[2022-08-15 21:04:42,971] (INFO) 
 ______  _______  ______ _____ __   _      _____ _______  _____   _____   ______ _______
 |_____] |______ |  ____   |   | \  |        |   |  |  | |_____] |     | |_____/    |
 |_____] |______ |_____| __|__ |  \_|      __|__ |  |  | |       |_____| |    \_    |

[2022-08-15 21:04:42,971] (INFO) 
  ____  ___    __ __    ___  ____    _____  ____  ____   ____    ___  _____
 /    T|   \  |  T  |  /  _]|    \  / ___/ /    T|    \ l    j  /  _]/ ___/
Y  o  ||    \ |  |  | /  [_ |  D  )(   \_ Y  o  ||  D  ) |  T  /  [_(   \_
|     ||  D  Y|  |  |Y    _]|    /  \__  T|     ||    /  |  | Y    _]\__  T
|  _  ||     |l  :  !|   [_ |    \  /  \ ||  _  ||    \  |  | |   [_ /  \ |
|  |  ||     | \   / |     T|  .  Y \    ||  |  ||  .  Y j  l |     T\    |
l__j__jl_____j  \_/  l_____jl__j\_j  \___jl__j__jl__j\_j|____jl_____j \___j

[2022-08-15 21:04:42,971] (INFO) Started getting adversaries from Crowdstrike Intel API and pushing them as events in MISP.
[2022-08-15 21:04:43,691] (INFO) Got 185 adversaries from the Crowdstrike Intel API.
last_seen (1375315200) has to be after first_seen (2013-09-11 21:41:00+00:00)
last_seen (1393632000) has to be after first_seen (2014-05-05 19:53:00+00:00)
last_seen (1367366400) has to be after first_seen (2013-11-15 20:21:00+00:00)
last_seen (1441065600) has to be after first_seen (2015-10-07 19:53:00+00:00)
last_seen (1433116800) has to be after first_seen (2015-06-02 16:07:00+00:00)
last_seen (1435795200) has to be after first_seen (2015-09-24 14:16:00+00:00)
last_seen (1372723200) has to be after first_seen (2013-07-02 19:35:00+00:00)
last_seen (1357084800) has to be after first_seen (2013-04-22 15:03:00+00:00)
last_seen (1435708800) has to be after first_seen (2015-08-28 15:50:00+00:00)
last_seen (1333324800) has to be after first_seen (2012-04-02 22:50:00+00:00)
[2022-08-15 21:04:50,479] (WARNING) Adversary 156278 missing field first_activity_date.
[2022-08-15 21:04:50,577] (WARNING) Adversary 137920 missing field first_activity_date.
[2022-08-15 21:04:50,888] (WARNING) Adversary 138228 missing field first_activity_date.
[2022-08-15 21:04:51,023] (ERROR) 'TAGGING'
Traceback (most recent call last):
  File "misp_import.py", line 213, in main
    importer.import_from_crowdstrike(int(settings["CrowdStrike"]["init_reports_days_before"]),
  File "/home/rx118r/src/crowdstrike/220815/MISP-tools-ver_0.6.2/cs_misp_import/importer.py", line 163, in import_from_crowdstrike
    self.actors_importer.process_actors(actors_days_before, self.event_ids)
  File "/home/rx118r/src/crowdstrike/220815/MISP-tools-ver_0.6.2/cs_misp_import/actors.py", line 128, in process_actors
    if fut.result():
  File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/_base.py", line 437, in result
    return self.__get_result()
  File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/_base.py", line 389, in __get_result
    raise self._exception
  File "/opt/rh/rh-python38/root/usr/lib64/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/rx118r/src/crowdstrike/220815/MISP-tools-ver_0.6.2/cs_misp_import/actors.py", line 59, in batch_import_actors
    event: MISPEvent = self.create_event_from_actor(act, act_det)
  File "/home/rx118r/src/crowdstrike/220815/MISP-tools-ver_0.6.2/cs_misp_import/actors.py", line 417, in create_event_from_actor
    if confirm_boolean_param(self.settings["TAGGING"].get("taxonomic_TYPE", False)):
  File "/opt/rh/rh-python38/root/usr/lib64/python3.8/configparser.py", line 960, in __getitem__
    raise KeyError(key)
KeyError: 'TAGGING'
'TAGGING'
jshcodes commented 2 years ago

Have you updated your config file to the latest? TAGGING branch is newly added to the config file.

jshcodes commented 2 years ago

A POST has been added to this application that checks the validity of the configuration file. (Pass --debug to see the full output of this testing.) Moving forward, missing values should be reported before startup.

Closing this issue as resolved in v0.6.3, please reopen if you encounter this again.