Feature Request : ExtractIT

phil_pearce · March 10, 2021, 8:15am

Hi,

Can I suggest a feature request for extract it
The ability to extract CVEs

Use Case:
I have an email subscription to US-Cert, within this email are multiple CVEs I’d like to extract from the body of the email
Once extracted I can then use other methods to lookup the CVEs against InsightVM

elijah_martin-merrill · March 10, 2021, 2:11pm

I love this idea - expanding extract-it to handle a broader set of data makes sense. What do you think of also implementing a deduplicate function in extractit?

phil_pearce · March 10, 2021, 2:17pm

I like the idea of a deduplicate, would it be a checkbox on/off…?
For example I’ll use the use case above, if there were multiple same CVEs in an email, the ability to extract the cves as a whole(with duplicates) or extract with the deduplicate on…

phil_pearce · March 10, 2021, 2:26pm

Also I’ll add Ive found it difficult to extract any data from an email body… So the ability to extract maybe based on regex?

elijah_martin-merrill · March 10, 2021, 2:31pm

Have you looked at the pattern match step? It’s designed to extract data based on regex. Developing and Debugging Regex for the Pattern Match Step

phil_pearce · March 10, 2021, 3:24pm

I used pattern matching, doesnt say anything about extracting does it?

The output of pattern matching is
$matched

boolean
{{[“CVEs”].[$matched]}} - True if a match exists

joey_mcadams · March 10, 2021, 3:32pm

Something else that will help, that’s on our backlog (not sure on the ETA). We are going to have the email plugins pump this information out automatically at some point. URLs, Emails, Links, etc… as indicators to more easily feed into your other threat hunting tools.

elijah_martin-merrill · March 10, 2021, 4:16pm

With pattern-match, it constructs the outputs from the regex. The idea is you write regular regex, then reformat the capture groups into “ICON capture groups” that contain a name. This name becomes the variable output by the step.

For example, you have a list of vulnerabilities like this:
Vulnerability: CVE-2017-0108
Vulnerability: CVE-2019-9098

You’d use regular regex to extract the CVE like so: Vulnerability:\s+(CVE-\d{4}-\d{4})
In ICON, to extract the CVE into a variable called CVE, you’d replace the ( with {{CVE:/ and the ) with /}} so you’re regex would be Vulnerability:\s+{{CVE:/CVE-\d{4}-\d{4}/}}

Once you’ve put an “ICON named capture group” inside the regex, the step output will automatically update to include the variable. If you select “multiple matches” checkbox, it’ll output an array of strings for the variable. If “multiple matches” is unchecked, it’ll output just a string with the first match.