Upload multiple IOCs

[ZandaAu]

Has anybody built a script to integrate with MISP to upload IOCs from MISP into CrowdStrike using falconpy? Alternatively to upload a series of IOCs from a csv into CrowdStrike?

While I know CrowdStrike well, I’m new to python and learning as I go. The IOC create sample on here works well, but it’s the ability to take that to the next step.

Ideally I’d like to use something like PyMISP to extract a collection out of MISP into a temporary table, map the fields to CrowdStrike, and then upload each of the IOCs from the table to CrowdStrike. Or something like that. And then use a cron job to run the script periodically to upload any new IOCs.

Thanks

[jshcodes]

We have an example of downloading CrowdStrike Intel indicators / reports / actors and importing them into MISP, but not the other direction. (Yet! This would be a cool integration...)

Importing from CSV should be very doable, we could start with our existing sample and build from there. This could certainly work for your automation scenario, but may be more complex than something exporting from MISP natively.

I'll add the CSV import to our example request list, that'll make a good sample for the library. (Feel free to make suggestions or contribute things you'd like to see once it's posted. 😄)

[ZandaAu]

Great, thanks. Importing from a CSV would go a long way - I could always use OpenCTI or MISP (maybe) to export to a CSV on a periodic basis, and then ingest the contents of a CSV. That would work somewhat universally across multiple platforms.

I do have an example of a MISP to CrowdStrike integration python script (not using FalconPy) that I may be able to retrofit in.