def convert_indicator(indicator20):
indicator1x = Indicator(id_=convert_id20(indicator20["id"]),
timestamp=text_type(indicator20["modified"]))
if "name" in indicator20:
indicator1x.title = indicator20["name"]
if "description" in indicator20:
indicator1x.add_description(indicator20["description"])
indicator1x.indicator_types = convert_open_vocabs_to_controlled_vocabs(
indicator20["labels"], INDICATOR_LABEL_MAP)
indicator1x.add_valid_time_position(
convert_to_valid_time(
text_type(indicator20["valid_from"]),
text_type(indicator20["valid_until"])
if "valid_until" in indicator20 else None))
indicator1x.add_observable(
create_pattern_object(
indicator20["pattern"]).toSTIX1x(id20=indicator20["id"]))
if "kill_chain_phases" in indicator20:
process_kill_chain_phases(indicator20["kill_chain_phases"],
indicator1x)
if "object_marking_refs" in indicator20:
for m_id in indicator20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(indicator1x, ms, descendants=True)
if "granular_markings" in indicator20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, indicator20["id"])
record_id_object_mapping(indicator20["id"], indicator1x)
return indicator1x
def resolveObjects(incident, ttps, objects, eventTags, org):
for obj in objects:
tmp_incident = Incident()
resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org)
indicator = Indicator(
timestamp=getDateFromTimestamp(int(obj["timestamp"])))
indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"]
setProd(indicator, org)
if obj["comment"] != "":
indicator.description = obj["comment"]
tlpTags = eventTags
for attr in obj["Attribute"]:
tlpTags = mergeTags(tlpTags, attr)
setTLP(indicator, obj["distribution"], tlpTags, True)
indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")"
indicator.description = indicator.title
indicator.add_indicator_type("Malware Artifacts")
indicator.add_valid_time_position(ValidTime())
indicator.observable_composition_operator = "AND"
for rindicator in tmp_incident.related_indicators:
if rindicator.item.observable:
indicator.add_observable(rindicator.item.observable)
relatedIndicator = RelatedIndicator(indicator,
relationship=obj["meta-category"])
incident.related_indicators.append(relatedIndicator)
def create_indicator(self, ce1sus_indicator, event_permissions, user):
indicator = Indicator()
indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
indicator.title = ce1sus_indicator.title
indicator.description = ce1sus_indicator.description
indicator.short_description = ce1sus_indicator.short_description
if ce1sus_indicator.confidence:
indicator.confidence = ce1sus_indicator.confidence.title()
else:
indicator.confidence = 'Low'
# TODO: handling
# TODO: markings
for type_ in ce1sus_indicator.types:
indicator.add_indicator_type(type_.name)
if ce1sus_indicator.operator:
indicator.observable_composition_operator = ce1sus_indicator.operator
# Todo Add confidence
# indicator_attachment.confidence = "Low"
creator = self.create_stix_identity(ce1sus_indicator)
time = self.cybox_mapper.get_time(
produced_time=ce1sus_indicator.created_at)
info_source = InformationSource(identity=creator, time=time)
indicator.producer = info_source
observables = ce1sus_indicator.get_observables_for_permissions(
event_permissions, user)
for obs in observables:
cybox_obs = self.create_observable(obs, event_permissions, user)
indicator.add_observable(cybox_obs)
valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
end_time=ce1sus_indicator.created_at)
indicator.add_valid_time_position(valid_time)
return indicator
def test_datetime_format(self):
indicator = Indicator(title="title")
valid_time = ValidTime(
start_time=datetime.strptime("2010-03-05", "%Y-%m-%d"))
indicator.add_valid_time_position(valid_time)
ixml = indicator.to_xml()
self.assertTrue("2010-03-05T" in text_type(ixml))
def test_datetime_format(self):
indicator = Indicator(title="title")
valid_time = ValidTime(start_time=datetime.strptime("2010-03-05",
"%Y-%m-%d"))
indicator.add_valid_time_position(valid_time)
ixml = indicator.to_xml()
self.assertTrue("2010-03-05T" in text_type(ixml))
def buildIndicator(input_dict):
indicator = Indicator()
indicator.description = input_dict["description"]
if input_dict["confidence"]:
indicator.confidence = input_dict["confidence"]
if input_dict["impact"]:
indicator.likely_impact = input_dict["impact"]
if input_dict["producer"]:
indicator.producer = InformationSource()
indicator.producer.identity = Identity(input_dict["producer"])
indicator.title = input_dict["title"]
indicator.add_valid_time_position(valid_time.ValidTime(input_dict["starttime"], input_dict["endtime"]))
if input_dict["type"]:
indicator.add_indicator_type(input_dict["type"])
return indicator
def resolve_objects(self, incident, tags):
for misp_object in self.misp_event.objects:
tlp_tags = None
tmp_incident = Incident()
tlp_tags = deepcopy(tags)
self.resolve_attributes(tmp_incident, misp_object.attributes, tags)
indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp)))
indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid)
self.set_prod(indicator, self.orgc_name)
for attribute in misp_object.attributes:
tlp_tags = self.merge_tags(tlp_tags, attribute)
self.set_tlp(indicator, misp_object.distribution, tlp_tags)
title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id)
indicator.title = title
indicator.description = misp_object.comment if misp_object.comment else title
indicator.add_indicator_type("Malware Artifacts")
indicator.add_valid_time_position(ValidTime())
indicator.observable_composition_operator = "AND"
for rindicator in tmp_incident.related_indicators:
if rindicator.item.observable:
indicator.add_observable(rindicator.item.observable)
relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category'])
incident.related_indicators.append(relatedIndicator)
