Version 0.8.0

Version 0.8.0

This update provides some much needed updates to the misp_import.py script:

• Introduced new classes: ConfigHandler, ImportHandler, and Loggers to better organize the code

  • ConfigHandler
    • Moved configuration/galaxy parsing and handling into the ConfigHandler class
    • Consolidated import settings into a single dictionary in ConfigHandler
    • Simplified the proxy and extra headers configuration in ConfigHandler
  • ImportHandler
    • Created the ImportHandler class to manage the import/deletion process
    • Moved the retrieve_tags() function into the ImportHandler class
    • Moved perform_local_cleanup() function into the ImportHandler class
  • Loggers
    • Utilized a dataclass handler for the two log streams (main/splash)

• Simplified main: Utilized the new classes and helper functions to streamline the main function

  • Separated logging setup into its own function setup_logging()
  • Created a separate function to initialize the CrowdStrike API client create_intel_api_client()
  • Moved conditional argument checks into parse_command_line()

• Other

  • Removed some commented-out code and unused imports
  • Removed unused argument (-l, --logfile)
  • Relocated banner printing operations into their own functions

New Contributors

• @alhumaw made their first contribution in #175

Full Changelog: v0.7.4...v0.8.0

Version 0.7.4

This update adds the SAIGA adversary branch and closes #161.

Version 0.7.3

This release updates the following:

• Moves galaxy malware family tag lookups to leverage an in-memory dataset created during application startup
• Adds the Sphinx adversary branch
• Resolves a lookup issue with Actor tags
• Adds / Updates repository health files

Full Changelog: v0.7.2...v0.7.3

Version 0.7.2

• Moves duplicate handling to leverage the PyMISP native solution. Closes #129. Closes #67.
  • All indicator attributes have been moved to flat attributes as opposed to object attributes.
• Removes sightings integration.
• Aligns all adversary (actors) to the MISP Threat Actor galaxy. CrowdStrike only actors are created and imported to this galaxy as part of this process.
  • These actors are removed when performing a delete.
• Refactors taxonomic tagging to reduce the number of updates performed per attribute (indicator).
• Refines indicator type and malware family events and reduces the amount of time to import. Closes #118. Closes #102.
• Refines and expands Galaxy searches in an attempt to properly tag malware family indicators to the appropriate galaxy. Closes #134.
• Adds a new parameter to the configuration file to allow developers to limit the date range for Malware Family event lookups. Closes #136.

Important

Due to taxonomic tagging changes, developers wanting to completely reimport data should remove all CrowdStrike data from their MISP instance (--obliterate or -ci -cr -ca) using the previous version before upgrading to the latest version and running a new import.

Version 0.7.0

Version 0.7.0

This update provides the following new functionality:

• Maps CrowdStrike adversaries to the MISP Threat Actor galaxy. Existing adversaries are identified within the current galaxy, and new galaxy clusters are create for adversaries that are not present. These threat actors are removed as part of adversary delete operations.
• Maps target sectors to the MISP Sector galaxy.
• Maps target regions to the MISP Regions M49 galaxy.
• Maps target countries to the MISP Countries galaxy.
• Dramatically expands malware identification by looking up malware in additional MISP galaxies. The galaxy.ini file is still leveraged to override undesired matches by forcing a galaxy mapping.
• Resolves the publishing issue for Malware / Indicator type events. Closes #123.

What's Changed

• Bump crowdstrike-falconpy from 1.2.11 to 1.2.14 by @dependabot in #121
• Bump urllib3 from 1.26.14 to 1.26.15 by @dependabot in #105
• Bump pymisp from 2.4.168 to 2.4.170.1 by @dependabot in #122
• Version 0.7.0 - Expanded galaxy mappings by @jshcodes in #124

Full Changelog: v0.6.9...v0.7.0

Version 0.6.9

What's Changed

• Version 0.6.9 by @jshcodes in #120
  • Adds PERSONA_NAME indicator type enumerator. Closes #112.
  • Resolves a tagging failure on the Known As object. Closes #111.
  • Restores custom indicator event tagging functionality. Closes #116.
  • Fixes boolean comparison issue resulting in sightings being tracked when disabled in the configuration file. Closes #101.
  • Adds custom HTTP headers to all API requests. Closes #119.
  • Adds proxy support for all API requests. Closes #14.

Full Changelog: v0.6.8...v0.6.9

Version 0.6.8

What's Changed

• Bump urllib3 from 1.26.13 to 1.26.14 by @dependabot in #93
• Bump requests from 2.28.1 to 2.28.2 by @dependabot in #92
• Bump crowdstrike-falconpy from 1.2.8 to 1.2.9 by @dependabot in #90
• Bump crowdstrike-falconpy from 1.2.9 to 1.2.11 by @dependabot in #97
• Bump pymisp from 2.4.167 to 2.4.168 by @dependabot in #96
• Version 0.6.8 - Fix related adversary lookup error by @jshcodes in #99

Full Changelog: v0.6.7...v0.6.8

Version 0.6.7

What's Changed

• Bump pymisp from 2.4.166 to 2.4.167 by @dependabot in #83
• Bump crowdstrike-falconpy from 1.2.6 to 1.2.8 by @dependabot in #84
• Documentation updates by @jshcodes in #86
• Documentation updates by @jshcodes in #87
• Version 0.6.6 - Fixes by @jshcodes in #88
• Version 0.6.7 by @jshcodes in #91

Functionality

• Import / Delete indicators by type
• no_hashes import functionality
• Correlation fix (Report indicators)
• Initial markdown report formatting
• Annotation object removed from reports (This may be restored)
• Big fixes

Full Changelog: v0.6.6...v0.6.7

Version 0.6.6

What's Changed

• Adversary / Report dates are no longer showing the date of import as the event date. Relates to #70.
  • You can now import 20 years of adversary and report data.
• Faster delete handling (paginating MISP lookups). Relates to #70.
• Unnecessary correlations are disabled. Closes #80.
• Local tag cleanup. Relates to #79.
• Attribute tag verbosity control (-v argument). Closes #79.
• max-age argument now works as expected. Closes #70.
• Import or delete adversaries or reports of a specific type (new argument: -t or —type). Relates to #62.
  • Types can be mixed, Example:

  python3 misp_import.py -a -r -t csit,csa,spider,panda,bear

• Publish on create (Reports / Adversaries) with the -p argument. Relates to #39.

Full Changelog: v0.6.5...v0.6.6

Version 0.6.5

This update resolves several null check issues and re-enables custom tagging for indicators.

Thanks to @cudeso and @ag-michael for their contributions!