def populate(self, json): item = json['event'] self.event = Event() self.event.populate(item) # Check if not a report if json.get('report', None) or json.get('reference', None): item = json.get('report', None) if item: self.report = Report() self.report.populate(item) item = json.get('reference', None) if item: self.reference = Reference() self.reference.populate(item) else: item = json.get('observable', None) if item: self.observable = Observable() self.observable.populate(item) item = json.get('object', None) if item: self.object = Object() self.object.populate(item) item = json.get('attribute', None) if item: self.attribute = Attribute() self.attribute.populate(item)
def parse_events(self, xml, full=True): events = xml.iterfind('./Event') rest_events = [] for event in events: rest_event = Event() event_id = self.set_event_header(event, rest_event) if full: observables = self.parse_attributes(rest_event, event) rest_event.observables = observables # Append reference # check if there aren't any empty reports result = list() for event_report in rest_event.reports: if event_report.references: result.append(event_report) report = Report() report.identifier = uuid4() self.set_properties(report, False) # self.set_extended_logging(report, rest_event) # IMPORTANT logging of this should not be set, as this should onbly be visible for the owner/inserter value = u'{0}{1} Event ID {2}'.format('', self.tag, event_id) reference = self.create_reference(None, uuid4(), None, 'reference_external_identifier', value, None, False, rest_event, False) report.references.append(reference) value = u'{0}/events/view/{1}'.format(self.api_url, event_id) reference = self.create_reference(None, uuid4(), None, 'link', value, None, False, rest_event, False) report.references.append(reference) result.append(report) rest_event.reports = result setattr(rest_event, 'misp_id', event_id) rest_events.append(rest_event) return rest_events
class SearchResult(RestBase): def __init__(self): RestBase.__init__(self) self.event = None self.object = None self.observable = None self.attribute = None self.report = None self.reference = None def populate(self, json): item = json['event'] self.event = Event() self.event.populate(item) # Check if not a report if json.get('report', None) or json.get('reference', None): item = json.get('report', None) if item: self.report = Report() self.report.populate(item) item = json.get('reference', None) if item: self.reference = Reference() self.reference.populate(item) else: item = json.get('observable', None) if item: self.observable = Observable() self.observable.populate(item) item = json.get('object', None) if item: self.object = Object() self.object.populate(item) item = json.get('attribute', None) if item: self.attribute = Attribute() self.attribute.populate(item)
def create_observable(self, id_, uuid, category, type_, value, data, comment, ioc, share, event): if ((category in ['external analysis', 'internal reference', 'targeting data', 'antivirus detection'] and (type_ in ['attachment', 'comment', 'link', 'text', 'url', 'text', 'malware-sample', 'filename|sha1', 'filename|md5', 'filename|sha256', 'vulnerability'])) or (category == 'internal reference' and type_ in ['text', 'comment']) or type_ == 'other' or (category == 'attribution' and type_ == 'comment') or category == 'other' or (category == 'antivirus detection' and type_ == 'link')): # make a report # Create Report it will be just a single one reference = self.create_reference(id_, uuid, category, type_, value, data, share, event) if reference: if len(event.reports) == 0: report = Report() report.identifier = uuid4() self.set_properties(report, True) self.set_extended_logging(report, event) event.reports.append(report) if comment: if event.reports[0].description: event.reports[0].description = event.reports[0].description + ' - ' + comment else: event.reports[0].description = comment event.reports[0].references.append(reference) elif category == 'payload installation' and type_ == 'vulnerability': reference = self.create_reference(id_, uuid, category, type_, value, data, share, event) if reference: reference.value = u'Vulnerablility: {0}'.format(reference.value) if len(event.reports) == 0: report = Report() report.identifier = uuid4() self.set_properties(report, True) self.set_extended_logging(report, event) event.reports.append(report) if comment: if event.reports[0].description: event.reports[0].description = event.reports[0].description + ' - ' + comment else: event.reports[0].description = comment event.reports[0].references.append(reference) elif category == 'attribution': reference = self.create_reference(id_, uuid, category, type_, value, data, share, event) if reference: reference.value = u'Attribution: {0}'.format(reference.value) if len(event.reports) == 0: report = Report() report.identifier = uuid4() self.set_properties(report, True) self.set_extended_logging(report, event) event.reports.append(report) if comment: if event.reports[0].description: event.reports[0].description = event.reports[0].description + ' - ' + comment else: event.reports[0].description = comment event.reports[0].references.append(reference) else: observable = self.make_observable(event, comment, share) # create object obj = Object() obj.identifier = uuid4() self.set_properties(obj, share) self.set_extended_logging(obj, event) observable.object = obj obj.definition = self.get_object_definition(category, type_, value, event) if obj.definition: obj.definition_id = obj.definition.identifier # create attribute(s) for object self.append_attributes(obj, observable, id_, category, type_, value, ioc, share, event, uuid) if not observable.description: observable.description = None return observable else: return None
def populate(self, json): self.identifier = json.get('identifier', None) self.title = json.get('title', None) self.description = json.get('description', None) self.risk = json.get('risk', 'Undefined').title() self.status = json.get('status', 'Draft').title() self.tlp = json.get('tlp', 'Amber').title() self.analysis = json.get('analysis', 'Unknown').title() self.properties.populate(json.get('properties', Properties('0'))) published = json.get('published', False) if published: if published == '1' or published == 1: published = True elif published == '0' or published == 0: published = True self.properties.is_shareable = published observables = json.get('observables', list()) if observables: for observable in observables: obs = Observable() obs.populate(observable) self.observables.append(obs) indicators = json.get('indicators', list()) if indicators: for indicator in indicators: ind = Indicator() ind.populate(indicator) self.indicators.append(ind) modifier_group = json.get('modifier_group', None) if modifier_group: cg_instance = Group() cg_instance.populate(modifier_group) self.modifier = cg_instance originating_group = json.get('originating_group', None) if originating_group: cg_instance = Group() cg_instance.populate(originating_group) self.originating_group = cg_instance creator_group = json.get('creator_group', None) if creator_group: cg_instance = Group() cg_instance.populate(creator_group) self.creator_group = cg_instance created_at = json.get('created_at', None) if created_at: self.created_at = strings.stringToDateTime(created_at) modified_on = json.get('modified_on', None) if modified_on: self.modified_on = strings.stringToDateTime(modified_on) first_seen = json.get('first_seen', None) if first_seen: self.first_seen = strings.stringToDateTime(first_seen) last_seen = json.get('last_seen', None) if last_seen: self.last_seen = strings.stringToDateTime(last_seen) reports = json.get('reports', None) if reports: for report in reports: report_instacne = Report() report_instacne.populate(report) self.reports.append(report_instacne) comments = json.get('comments', None) if comments: for comment in comments: comment_instacne = Comment() comment_instacne.populate(comment) self.comments.append(comment_instacne) permissions = json.get('groups', None) if permissions: for permission in permissions: event_permission = EventGroupPermission() event_permission.populate(permission)