search

CrowdStrike / MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
MIT License
39 stars 10 forks source link

Indicator Type Reports Have No Attributes #89

Closed packet-rat closed 1 year ago

packet-rat commented 1 year ago

image

[2023-01-06 21:38:02,557] INFO processor/main
[2023-01-06 21:38:02,557] INFO processor/main Retrieving lookup data for import of CrowdStrike indicators into MISP. [2023-01-06 21:38:02,595] INFO processor/main Retrieved 24 CrowdStrike indicator type events from MISP. [2023-01-06 21:38:02,638] INFO processor/main Retrieved 0 CrowdStrike indicator malware family events from MISP. [2023-01-06 21:38:02,741] INFO processor/thread_8 Retrieved 233 bitcoin_address indicators from MISP. [2023-01-06 21:38:02,742] INFO processor/thread_9 Retrieved 11 coin_address indicators from MISP. [2023-01-06 21:38:02,789] INFO processor/thread_12 Retrieved 483 registry indicators from MISP. [2023-01-06 21:38:02,791] INFO processor/thread_9 Retrieved 28 service_name indicators from MISP. [2023-01-06 21:38:02,803] INFO processor/thread_13 Retrieved 50 device_name indicators from MISP. [2023-01-06 21:38:02,922] INFO processor/thread_3 Retrieved 1,602 hash_imphash indicators from MISP. [2023-01-06 21:38:02,973] INFO processor/thread_15 Retrieved 37 campaign_id indicators from MISP. [2023-01-06 21:38:03,007] INFO processor/thread_9 Retrieved 125 port indicators from MISP. [2023-01-06 21:38:03,112] INFO processor/thread_12 Retrieved 447 user_agent indicators from MISP. [2023-01-06 21:38:03,184] INFO processor/thread_7 Retrieved 3,920 mutex_name indicators from MISP. [2023-01-06 21:38:12,700] INFO processor/thread_10 Retrieved 4,607 email_address indicators from MISP. [2023-01-06 21:38:17,191] INFO processor/thread_11 Retrieved 24,967 email_subject indicators from MISP. [2023-01-06 21:38:19,406] INFO processor/thread_2 Retrieved 126,802 hash_sha1 indicators from MISP. [2023-01-06 21:38:25,958] INFO processor/thread_5 Retrieved 192,728 file_path indicators from MISP. [2023-01-06 21:38:26,222] INFO processor/thread_4 Retrieved 192,728 file_name indicators from MISP. [2023-01-06 21:38:34,301] INFO processor/thread_1 Retrieved 272,552 hash_sha256 indicators from MISP. [2023-01-06 21:39:14,950] INFO processor/thread_0 Retrieved 742,424 hash_md5 indicators from MISP. [2023-01-06 21:39:43,850] INFO processor/thread_14 Retrieved 1,534,147 domain indicators from MISP. [2023-01-06 21:42:25,674] INFO processor/thread_8 Retrieved 3,754,983 ip_address indicators from MISP.

jshcodes commented 1 year ago

Try clearing and reloading CS data? I've not seen this variation before.

I'm finishing up the custom import / delete on indicators currently, so there will be another version to test against shortly. I also found a couple of correlations that didn't need to be disabled. These updates should post next week.

packet-rat commented 1 year ago

Cleared all Crowdstrike data and re-running tests. (note that I've done so previously as well)

I am curious about the following: Having cleared all Crowdstrike data, why is the tool telling me how many IOCs it's pulling from MISP? Presuming CS IOCs are gone, are these from other sources and if so, how are they germain to the CS import?

Is there a chance you aren't "Hard Deleting" the CS IOCs?

[2023-01-07 20:59:52,479] INFO     processor/main       Retrieving lookup data for import of CrowdStrike indicators into MISP.
[2023-01-07 20:59:52,772] INFO     processor/main       Adding 24 CrowdStrike indicator type events to MISP.
[2023-01-07 20:59:52,794] INFO     processor/main       Retrieved 0 CrowdStrike indicator malware family events from MISP.
[2023-01-07 20:59:52,871] INFO     processor/thread_9   Retrieved 11 coin_address indicators from MISP.
[2023-01-07 20:59:52,878] INFO     processor/thread_13  Retrieved 50 device_name indicators from MISP.
[2023-01-07 20:59:52,902] INFO     processor/thread_13  Retrieved 28 service_name indicators from MISP.
[2023-01-07 20:59:52,981] INFO     processor/thread_8   Retrieved 233 bitcoin_address indicators from MISP.
[2023-01-07 20:59:53,011] INFO     processor/thread_15  Retrieved 37 campaign_id indicators from MISP.
[2023-01-07 20:59:53,018] INFO     processor/thread_12  Retrieved 483 registry indicators from MISP.
[2023-01-07 20:59:53,190] INFO     processor/thread_8   Retrieved 125 port indicators from MISP.
[2023-01-07 20:59:53,282] INFO     processor/thread_3   Retrieved 1,602 hash_imphash indicators from MISP.
[2023-01-07 20:59:53,332] INFO     processor/thread_13  Retrieved 447 user_agent indicators from MISP.
[2023-01-07 20:59:53,401] INFO     processor/thread_7   Retrieved 3,920 mutex_name indicators from MISP.
[2023-01-07 21:00:02,286] INFO     processor/thread_10  Retrieved 4,871 email_address indicators from MISP.
[2023-01-07 21:00:06,855] INFO     processor/thread_11  Retrieved 26,179 email_subject indicators from MISP.
[2023-01-07 21:00:09,005] INFO     processor/thread_2   Retrieved 127,220 hash_sha1 indicators from MISP.
[2023-01-07 21:00:12,559] INFO     processor/thread_5   Retrieved 192,728 file_path indicators from MISP.
[2023-01-07 21:00:15,614] INFO     processor/thread_4   Retrieved 192,728 file_name indicators from MISP.
[2023-01-07 21:00:25,245] INFO     processor/thread_1   Retrieved 276,532 hash_sha256 indicators from MISP.
[2023-01-07 21:00:54,635] INFO     processor/thread_0   Retrieved 748,240 hash_md5 indicators from MISP.
[2023-01-07 21:01:38,143] INFO     processor/thread_14  Retrieved 1,534,608 domain indicators from MISP.
[2023-01-07 21:05:08,917] INFO     processor/thread_9   Retrieved 3,757,248 ip_address indicators from MISP.
jshcodes commented 1 year ago

Those should be existing attributes of that indicator type in your instance (not necessarily imported from CS).

Found and squashed a bug that could potentially cause this (related to indicator lookups). I'll get the updated posted shortly.

packet-rat commented 1 year ago

There are existing IOCs of various similar types from other sources, but significantly30-40% more than the values shown.

I’ll look for the update and retest as soon as I can load.

From: Joshua Hiller @.> Sent: Sunday, January 8, 2023 9:01:47 PM To: CrowdStrike/MISP-tools @.> Cc: MARONEY, PATRICK @.>; Author @.> Subject: Re: [CrowdStrike/MISP-tools] Indicator Type Reports Have No Attributes (Issue #89)

Those should be existing attributes of that indicator type in your instance (not necessarily imported from CS).

Found and squashed a bug that could be related to this. I'll get the updated posted shortly.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/CrowdStrike/MISP-tools/issues/89*issuecomment-1375018024__;Iw!!BhdT!lqBOEBZycqe5nWQ2uWd151jKCLnPXh1Rzod8aOO2qcuwbcU-ahngOAgZXZcl5kQpWmFHQcnFg_zGp_aAwPFk7DhUbns$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AAYSFYNC7ZKEAGNCH2YBIVLWRNWQXANCNFSM6AAAAAATTPUO5I__;!!BhdT!lqBOEBZycqe5nWQ2uWd151jKCLnPXh1Rzod8aOO2qcuwbcU-ahngOAgZXZcl5kQpWmFHQcnFg_zGp_aAwPFkQ0bvSxk$. You are receiving this because you authored the thread.Message ID: @.***>

jshcodes commented 1 year ago

This one should be resolved. Please reopen / submit a new issue if you encounter this again. 😄