Beispiel #1
0
def add_related_incidents_item(related_incidents_item, incident):
    # assuming only one id 
    rIncident = Incident()
    externalID = ExternalID()
    externalID.value = related_incidents_item
    externalID.source = "VERIS"  
    rIncident.add_external_id(externalID)
    incident.related_incidents.append(rIncident)
Beispiel #2
0
def generateSTIXObjects(event):
    incident = Incident(id_=namespace[1] + ":incident-" +
                        event["Event"]["uuid"],
                        title=event["Event"]["info"])
    setDates(incident, event["Event"]["date"],
             int(event["Event"]["publish_timestamp"]))
    threat_level_name = threat_level_mapping.get(
        event["Event"]["threat_level_id"], None)
    if threat_level_name:
        addJournalEntry(incident, "Event Threat Level: " + threat_level_name)
    ttps = []
    eventTags = event["Event"].get("Tag", [])
    external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
    incident.add_external_id(external_id)
    incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
    if incident_status_name is not None:
        incident.status = IncidentStatus(incident_status_name)
    setTLP(incident, event["Event"]["distribution"], eventTags)
    setSrc(incident, event["Event"]["Org"]["name"])
    orgc_name = event["Event"]["Orgc"]["name"]
    setRep(incident, orgc_name)
    setTag(incident, eventTags)
    resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags,
                      orgc_name)
    resolveObjects(incident, ttps, event["Event"]["Object"], eventTags,
                   orgc_name)
    return [incident, ttps]
Beispiel #3
0
 def generate_stix_objects(self):
     incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid)
     incident = Incident(id_=incident_id, title=self.misp_event.info)
     self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp)
     threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None)
     if threat_level_name:
         threat_level_s = "Event Threat Level: {}".format(threat_level_name)
         self.add_journal_entry(incident, threat_level_s)
     Tags = {}
     event_tags = self.misp_event.Tag
     if event_tags:
         Tags['event'] = event_tags
     self.set_tag(incident, event_tags)
     external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event")
     incident.add_external_id(external_id)
     incident_status_name = status_mapping.get(str(self.misp_event.analysis), None)
     if incident_status_name is not None:
         incident.status = IncidentStatus(incident_status_name)
     self.set_tlp(incident, self.misp_event.distribution, event_tags)
     self.set_src(incident, self.misp_event.Org.get('name'))
     self.orgc_name = self.misp_event.Orgc.get('name')
     self.set_rep(incident)
     self.ttps = []
     self.resolve_attributes(incident, self.misp_event.attributes, Tags)
     self.resolve_objects(incident, Tags)
     self.add_related_indicators(incident)
     return incident
Beispiel #4
0
def generateSTIXObjects(event):
    incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
    setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
    addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
    ttps = []
    external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
    incident.add_external_id(external_id)
    incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
    if incident_status_name is not None:
        incident.status = IncidentStatus(incident_status_name)
    setTLP(incident, event["Event"]["distribution"])
    setOrg(incident, event["Event"]["org"])
    resolveAttributes(incident, ttps, event["Attribute"])
    return [incident, ttps]
Beispiel #5
0
    def update_with(self, update_obj, update_timestamp=True):
        super(DBIncidentPatch, self).update_with(update_obj, update_timestamp)
        self.categories = None
        IncidentCategories.from_dict(update_obj.categories.to_dict(), self.categories)
        if update_obj.time:
            self.time = StixTime.from_dict(update_obj.time.to_dict())
        self.coordinators = update_obj.coordinators

        self.intended_effects = IntendedEffects()
        self.discovery_methods = DiscoveryMethods()

        IntendedEffects.from_dict(update_obj.intended_effects.to_dict(), self.intended_effects)
        DiscoveryMethods.from_dict(update_obj.discovery_methods.to_dict(), self.discovery_methods)

        self.external_ids = []
        for ex_id in update_obj.external_ids:
            self.external_ids.append(ExternalID(ex_id.value, ex_id.source))
Beispiel #6
0
    def _w(cls, draft):
        def drop_if_empty(val):
            return val if val else None

        target = wrapped_func(cls, draft)
        target.categories = cleanstrings(draft.get('categories'))

        for key, value in draft.get('time').iteritems():
            DBIncidentPatch.append_config_timezone(value)

        target.time = StixTime()
        StixTime.from_dict(draft.get('time'), target.time)

        target.external_ids = []
        for ex_id in draft.get('external_ids', []):
            target.external_ids.append(ExternalID(ex_id['id'], ex_id['source']))

        target.coordinators = [EdgeInformationSource.from_draft(drop_if_empty(coordinator)) for coordinator in
                               draft.get('coordinators', [])]

        return target
Beispiel #7
0
def convert_file(ifn, ofn, vcdb):
    global cve_info
    global targets_item
    cve_info = []
    targets_item = None
    with open(ifn) as json_data:
        veris_item = json.load(json_data)
        json_data.close()
    schema_version_item = veris_item.get("schema_version")
    if not schema_version_item:
        error("The 'schema_version' item is required")
    elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"):
        error("This converter is for VERIS schema version 1.3.  This file has schema version " + schema_version_item)
        return
    pkg = STIXPackage()
    action_item = veris_item.get('action')
    if not action_item:
        error("The 'action' item is required")
    else:
        add_action_item(action_item, pkg)
    add_cve_info(pkg)
    actor_item = veris_item.get('actor')
    if not actor_item:
        error("The 'actor' item is required")
    else:
        add_actor_item(actor_item, pkg)
    incident = Incident()
    pkg.add_incident(incident)
    asset_item = veris_item.get('asset')
    if not asset_item:
        error("The 'asset' item is required")
    else:
        attribute_item = veris_item.get('attribute')
        add_asset_item(asset_item, attribute_item, incident)
    # added as 1.3
    campaign_id_item = veris_item.get('campaign_id')
    if campaign_id_item:
        add_campaign_item(campaign_id_item, pkg)
    confidence_item = veris_item.get('confidence')
    if confidence_item:
        add_confidence_item(confidence_item, incident)
    #control_failure - not found in data
    if veris_item.get('control_failure'):
        warn("'control_failure' item not handled, yet")
    corrective_action_item = veris_item.get('corrective_action')
    cost_corrective_action_item = veris_item.get('cost_corrective_action')
    if corrective_action_item  or cost_corrective_action_item:
        add_coa_items(corrective_action_item, cost_corrective_action_item, pkg)
    discovery_method_item = veris_item.get('discovery_method')
    if not discovery_method_item:
        error("The 'discovery_method' item is required")
    else:
        incident.add_discovery_method(map_discovey_method(discovery_method_item))
    discovery_notes_item = veris_item.get('discovery_notes') 
    if discovery_notes_item:
        warn("'discovery_notes' item not handled yet")
    impact_item = veris_item.get('impact')    
    if impact_item:
        add_impact_item(impact_item, incident)  
    incident_id_item = veris_item.get('incident_id') 
    if not incident_id_item:
        error("The 'incident_id' item is required")
    else:
        external_id = ExternalID()
        external_id.value = incident_id_item
        external_id.source = "VERIS" 
        incident.add_external_id(external_id)
    notes_item = veris_item.get('notes')      
    if notes_item:
        pkg.stix_header = STIXHeader()
        pkg.stix_header.title = "Notes: " + notes_item
    # plus item for records from VCDB have some known useful information 
    if vcdb:
        plus_item = veris_item.get('plus')
        if plus_item:
            add_plus_item(plus_item, incident, pkg)
    # removed as of 1.3 - see campaign_id
    # related_incidents_item = veris_item.get('related_incidents')
    # if related_incidents_item:
    #    add_related_incidents_item(related_incidents_item, incident)
    
    security_incident_item = veris_item.get('security_incident')
    if not security_incident_item:
        error("The 'security_incident' item is required")
    else:
        incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item)
    reference_item = veris_item.get('reference')
    source_id_item = veris_item.get('source_id')
    if source_id_item or reference_item:
        add_information_source_items(reference_item, source_id_item, schema_version_item, incident)
    summary_item = veris_item.get('summary')
    if summary_item:
        incident.title = summary_item
    #targeted_item = veris_item.get('targeted')
    #if targeted_item:   
    timeline_item = veris_item.get('timeline')
    if not timeline_item:
        error("The 'timeline' item is required")
    else:
        add_timeline_item(timeline_item, incident)
    victim_item = veris_item.get('victim')
    if victim_item:
        add_victim_item(victim_item, incident)
    add_related(pkg)
    if not ofn:
        stixXML = sys.stdout
    else:
        stixXML = open(ofn, 'wb')
    stixXML.write(pkg.to_xml())
    stixXML.close()