def create_attributes(misp_api, event_id, site):
"""
Create MISP IOCs attributes.
:param misp_api: MISP Object API.
:param event_id: MISP Event ID.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ',
event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "Domain name monitored"
attribute.tags = [tag]
attribute.value = site.domain_name
misp_api.add_attribute(event=event_id, attribute=attribute)
if settings.MISP_TICKETING_URL != '':
attribute = MISPAttribute()
attribute.category = "Internal reference"
attribute.type = "link"
attribute.distribution = 0
attribute.comment = "Ticketing link"
attribute.tags = [tag]
attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir)
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip_second:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.mail_A_record_ip and site.ip != site.mail_A_record_ip and site.ip_second != site.mail_A_record_ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=event_id, attribute=attribute)
def update_attributes(misp_api, site):
"""
Update MISP IOCs attributes.
:param misp_api: MISP Object API.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Update MISP IOCs attributes for: ',
site.misp_event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
if site.ip and not search_attributes(misp_api, site.misp_event_id, site.ip,
site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.ip_second and not search_attributes(misp_api, site.misp_event_id,
site.ip_second, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.mail_A_record_ip and not search_attributes(
misp_api, site.misp_event_id, site.mail_A_record_ip, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
if not search_attributes(misp_api, site.misp_event_id,
str(mx).split()[1][:-1], site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=site.misp_event_id,
attribute=attribute)
