EQL Query Generation Modules

[blaverick62]

I've added two new files to the project: eql.py in expansion/ and endgame_export.py in export_mod/. Both of these files describe modules that generate Event Query Language directly from MISP events. This is useful for SOCs that also use Endgame, since they can copy/paste the queries directly to search for that particular MISP event. eql.py is a single attribute "wrapper" enrichment that makes a single EQL query. mass_eql_export is an export module that takes all Endgame-relevant attributes and generates a large EQL for all of them. This is the first version, and will have improvements over time. Here is a link to a reference for EQL: https://eql.readthedocs.io/

[lgtm-com]

This pull request introduces 4 alerts when merging dc4c09f into d0ddfb3 - view on LGTM.com

new alerts:

• 4 for Unused import

[codecov]

Codecov Report

Merging #346 into master will increase coverage by 0.11%.
The diff coverage is 33.33%.

@@            Coverage Diff             @@
##           master     #346      +/-   ##
==========================================
+ Coverage   18.58%   18.69%   +0.11%     
==========================================
  Files          96       98       +2     
  Lines        7916     7984      +68     
==========================================
+ Hits         1471     1493      +22     
- Misses       6445     6491      +46

Impacted Files	Coverage Δ
misp_modules/modules/expansion/__init__.py	100% <ø> (ø)	⬆️
misp_modules/modules/export_mod/__init__.py	100% <100%> (ø)	⬆️
misp_modules/modules/export_mod/mass_eql_export.py	30.76% <30.76%> (ø)
misp_modules/modules/expansion/eql.py	34.48% <34.48%> (ø)
...isp_modules/modules/expansion/virustotal_public.py	24% <0%> (-0.17%)	⬇️
misp_modules/modules/expansion/virustotal.py	13.93% <0%> (-0.09%)	⬇️
misp_modules/modules/expansion/urlscan.py	0% <0%> (ø)	⬆️
misp_modules/modules/expansion/securitytrails.py	0% <0%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d0ddfb3...717be2b. Read the comment docs.

[adulau]

Thank you very much, this is a great contribution! If you have the time to update the documentation of the modules that would be great and show the availability of the modules to other users.

[blaverick62]

Will do, I’ll get that updated tomorrow. I have some more functionality to add to those endgame modules so I’ll just put up another pull request when they’re ready again. Thanks a ton for taking the changes! I’m really excited! V/r Braden Laverick

…

On Wed, Oct 30, 2019 at 16:09 Alexandre Dulaunoy ***@***.***> wrote: Thank you very much, this is a great contribution! If you have the time to update the documentation of the modules that would be great and show the availability of the modules to other users. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#346?email_source=notifications&email_token=AEVPGFFSRFXESQZHYAUT5WTQRHZW7A5CNFSM4JGZVOTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECVYXTI#issuecomment-548113357>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEVPGFAC7XOWS6OW73GPXVDQRHZW7ANCNFSM4JGZVOTA> .

[iglocska]

Woah, awesome!