work in progress for mandiant threat intel integration, cisagov#358

mmguero-dev · Nov 8, 2024 · 13bf9a7 · 13bf9a7
1 parent 231ad13
commit 13bf9a7
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/logstash/pipelines/zeek/1029_zeek_intel.conf b/logstash/pipelines/zeek/1029_zeek_intel.conf
@@ -40,16 +40,12 @@ filter {
           code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)"
         }
       }
-      mutate { id => "mutate_split_zeek_intel_commas"
-               split => { "[zeek_cols][sources]" => ","
-                          "[zeek_cols][matched]" => "," } }
     }
 
-    # For some reason, even in JSON, I have cif_tags strings like:
-    #   Network activity,osint:source-type=\"block-or-filter-list\"
-    # so whatever reason it's not already an array. Split it here.
-    mutate { id => "mutate_split_zeek_intel_cif_tags"
-             split => { "[zeek_cols][cif_tags]" => "," } }
+    mutate { id => "mutate_split_zeek_intel_commas"
+             split => { "[zeek_cols][sources]" => ","
+                        "[zeek_cols][matched]" => ","
+                        "[zeek_cols][cif_tags]" => "," } }
 
   }
 

diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py
@@ -232,7 +232,13 @@ def map_mandiant_indicator_to_zeek(
             zeekItem[ZEEK_INTEL_CIF_LASTSEEN] = str(mktime(indicator.last_seen.timetuple()))
         if hasattr(indicator, 'sources'):
             zeekItem[ZEEK_INTEL_META_SOURCE] = ','.join(
-                list({entry['source_name'] for entry in indicator.sources if 'source_name' in entry})
+                list(
+                    {
+                        entry['source_name'].replace(',', '\\x2c')
+                        for entry in indicator.sources
+                        if 'source_name' in entry
+                    }
+                )
             )
             if categories := list(
                 {
@@ -249,7 +255,7 @@ def map_mandiant_indicator_to_zeek(
                 tags.extend(trueMispAttrs)
 
         if tags:
-            zeekItem[ZEEK_INTEL_CIF_TAGS] = ','.join(tags)
+            zeekItem[ZEEK_INTEL_CIF_TAGS] = ','.join([x.replace(',', '\\x2c') for x in tags])
 
         # The MD5Indicator class can actually have multiple types of hashes,
         #   and we want to create a zeek intel item for each. I'm accessing