From 08a49fb9836fb73d72aabee061c0721baf8b8362 Mon Sep 17 00:00:00 2001 From: Joshua Hiller Date: Thu, 29 Dec 2022 22:04:42 -0500 Subject: [PATCH] More accurate adversary and report lookups by date --- cs_misp_import/intel_client.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/cs_misp_import/intel_client.py b/cs_misp_import/intel_client.py index c26afad..1f03a07 100644 --- a/cs_misp_import/intel_client.py +++ b/cs_misp_import/intel_client.py @@ -123,7 +123,7 @@ def get_indicators(self, start_time, include_deleted): break start_time = last_marker - def get_actors(self, actor_filter: str = None): + def get_actors(self, start_time, actor_filter: str = None): """Get all the actors that were updated after a certain moment in time (UNIX). :param start_time: unix time of the oldest actor you want to pull @@ -138,9 +138,15 @@ def get_actors(self, actor_filter: str = None): for act_type in actor_filter.split(","): if act_type.upper() in [x.name for x in Adversary]: self.log.info("Retrieving %s branch adversaries.", act_type.title()) - filter_string = f"{filter_string if filter_string else ''}{',' if filter_string else ''}name:*'*{act_type.upper()}'" + filter_string = f"{filter_string if filter_string else '('}{',' if filter_string else ''}name:*'*{act_type.upper()}'" else: self.log.info("Retrieving all adversaries.") + format_string = "%Y-%m-%dT%H:%M:%SZ" + # This is pretty ugly + filter_string = f"{filter_string if filter_string else ''}{')' if filter_string else ''}" + filter_string = f"{filter_string}{'+' if filter_string else ''}(first_activity_date:>='{datetime.datetime.utcfromtimestamp(start_time).strftime(format_string)}'" + filter_string = f"{filter_string},created_date:>='{datetime.datetime.utcfromtimestamp(start_time).strftime(format_string)}')" + while offset < total or first_run: resp_json = self.falcon.query_actor_entities( sort="last_modified_date.asc",