def obj_create(self, bundle, **kwargs):
"""
Handles creating Events through the API.
:param bundle: Bundle containing the information to create the Event.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
user = bundle.request.user
title = bundle.data.get('title', None)
description = bundle.data.get('description', None)
event_type = bundle.data.get('event_type', None)
source = bundle.data.get('source', None)
method = bundle.data.get('method', None)
reference = bundle.data.get('reference', None)
tlp = bundle.data.get('tlp', 'amber')
date = bundle.data.get('date', None)
bucket_list = bundle.data.get('bucket_list', None)
ticket = bundle.data.get('ticket', None)
campaign = bundle.data.get('campaign', None)
campaign_confidence = bundle.data.get('campaign_confidence', None)
content = {'return_code': 0, 'type': 'Event'}
if not title or not event_type or not source or not description:
content[
'message'] = 'Must provide a title, event_type, source, and description.'
self.crits_response(content)
if event_type not in EventTypes.values():
content['message'] = 'Not a valid Event Type.'
self.crits_response(content)
if user.has_access_to(EventACL.WRITE):
result = add_new_event(title, description, event_type, source,
method, reference, tlp, date, user,
bucket_list, ticket, campaign,
campaign_confidence)
else:
result = {
'success': False,
'message': 'User does not have permission to create Object.'
}
if result.get('message'):
content['message'] = result.get('message')
content['id'] = result.get('id', '')
if result.get('id'):
url = reverse('api_dispatch_detail',
kwargs={
'resource_name': 'events',
'api_name': 'v1',
'pk': result.get('id')
})
content['url'] = url
if result['success']:
content['return_code'] = 0
else:
content['return_code'] = 1
self.crits_response(content)
def obj_create(self, bundle, **kwargs):
"""
Handles creating Events through the API.
:param bundle: Bundle containing the information to create the Event.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
analyst = bundle.request.user.username
title = bundle.data.get('title', None)
description = bundle.data.get('description', None)
event_type = bundle.data.get('event_type', None)
source = bundle.data.get('source', None)
method = bundle.data.get('method', None)
reference = bundle.data.get('reference', None)
date = bundle.data.get('date', None)
bucket_list = bundle.data.get('bucket_list', None)
ticket = bundle.data.get('ticket', None)
campaign = bundle.data.get('campaign', None)
campaign_confidence = bundle.data.get('campaign_confidence', None)
content = {'return_code': 0,
'type': 'Event'}
if not title or not event_type or not source or not description:
content['message'] = 'Must provide a title, event_type, source, and description.'
self.crits_response(content)
if event_type not in EventTypes.values():
content['message'] = 'Not a valid Event Type.'
self.crits_response(content)
result = add_new_event(title,
description,
event_type,
source,
method,
reference,
date,
analyst,
bucket_list,
ticket,
campaign,
campaign_confidence)
if result.get('message'):
content['message'] = result.get('message')
content['id'] = result.get('id', '')
if result.get('id'):
url = reverse('api_dispatch_detail',
kwargs={'resource_name': 'events',
'api_name': 'v1',
'pk': result.get('id')})
content['url'] = url
if result['success']:
content['return_code'] = 0
else:
content['return_code'] = 1
self.crits_response(content)
def set_event_type(self, event_type):
"""
Set the Event Type.
:param event_type: The event type to set (must exist in DB).
:type event_type: str
"""
if event_type in EventTypes.values():
self.event_type = event_type
def set_event_type(self, event_type):
"""
Set the Event Type.
:param event_type: The event type to set (must exist in DB).
:type event_type: str
"""
if event_type in EventTypes.values():
self.event_type = event_type
def __init__(self, username, *args, **kwargs):
super(EventForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['event_type'].choices = [
(c,c) for c in EventTypes.values(sort=True)
]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def get_event_type_dropdown(request):
"""
Get a list of available event types.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.is_ajax():
e_types = EventTypes.values(sort=True)
result = {'types': e_types}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected AJAX"
return render(request, "error.html", {"error": error})
def get_event_type_dropdown(request):
"""
Get a list of available event types.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:returns: :class:`django.http.HttpResponse`
"""
if request.is_ajax():
e_types = EventTypes.values(sort=True)
result = {'types': e_types}
return HttpResponse(json.dumps(result),
content_type="application/json")
else:
error = "Expected AJAX"
return render(request, "error.html", {"error": error})
def obj_create(self, bundle, **kwargs):
"""
Handles creating Events through the API.
:param bundle: Bundle containing the information to create the Event.
:type bundle: Tastypie Bundle object.
:returns: HttpResponse.
"""
analyst = bundle.request.user.username
title = bundle.data.get('title', None)
description = bundle.data.get('description', None)
event_type = bundle.data.get('event_type', None)
source = bundle.data.get('source', None)
method = bundle.data.get('method', None)
reference = bundle.data.get('reference', None)
date = bundle.data.get('date', None)
bucket_list = bundle.data.get('bucket_list', None)
ticket = bundle.data.get('ticket', None)
content = {'return_code': 0, 'type': 'Event'}
if not title or not event_type or not source or not description:
content[
'message'] = 'Must provide a title, event_type, source, and description.'
self.crits_response(content)
if event_type not in EventTypes.values():
content['message'] = 'Not a valid Event Type.'
self.crits_response(content)
result = add_new_event(title, description, event_type, source, method,
reference, date, analyst, bucket_list, ticket)
if result.get('message'):
content['message'] = result.get('message')
content['id'] = result.get('id', '')
if result.get('id'):
url = reverse('api_dispatch_detail',
kwargs={
'resource_name': 'events',
'api_name': 'v1',
'pk': result.get('id')
})
content['url'] = url
if result['success']:
content['return_code'] = 0
self.crits_response(content)
def __init__(self, username, *args, **kwargs):
super(EventForm, self).__init__(username, *args, **kwargs)
self.fields['event_type'].choices = [
(c,c) for c in EventTypes.values(sort=True)
]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
self.fields['campaign'].choices = [("", "")]
if username.has_access_to(Common.CAMPAIGN_READ):
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['campaign_confidence'].choices = [
("", ""),
("low", "low"),
("medium", "medium"),
("high", "high")]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(EventForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['event_type'].choices = [
(c, c) for c in EventTypes.values(sort=True)
]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
self.fields['campaign'].choices = [("", "")]
self.fields['campaign'].choices += [
(c.name, c.name) for c in get_item_names(Campaign, True)
]
self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"),
("medium", "medium"),
("high", "high")]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(EventForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['event_type'].choices = [
(c,c) for c in EventTypes.values(sort=True)
]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
self.fields['campaign'].choices = [("", "")]
self.fields['campaign'].choices += [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['campaign_confidence'].choices = [
("", ""),
("low", "low"),
("medium", "medium"),
("high", "high")]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def parse_stix(self, reference='', make_event=False, source=''):
"""
Parse the document.
:param reference: The reference to the data.
:type reference: str
:param make_event: Whether or not to create an Event for this document.
:type make_event: bool
:param source: The source of this document.
:type source: str
:raises: :class:`taxii_service.parsers.STIXParserException`
Until we have a way to map source strings in a STIX document to
a source in CRITs, we are being safe and using the source provided
as the true source.
"""
with closing(StringIO(self.data)) as f:
try:
try:
self.package = STIXPackage.from_xml(f)
if not self.package:
raise STIXParserException("STIX package failure")
except UnsupportedVersionError:
v = stix.__version__
v = v[0:-2] if len(v.split('.')) > 3 else v
updated = ramrod.update(f, to_=v)
doc = updated.document.as_stringio()
self.package = STIXPackage.from_xml(doc)
except Exception as e:
msg = "Failed to create STIX/CybOX from XML"
self.failed.append((e.message, "STIX Package (%s)" % msg,
'')) # note for display in UI
return
if not self.preview:
self.stix_version = self.package.version
stix_header = self.package.stix_header
if stix_header and stix_header.information_source and stix_header.information_source.identity:
self.information_source = stix_header.information_source.identity.name
if self.information_source:
info_src = "STIX Source: %s" % self.information_source
if not reference:
reference = ''
else:
reference += ", "
reference += info_src
if source:
if does_source_exist(source):
self.source.name = source
else:
raise STIXParserException(
'Source "%s" does not exist in CRITs.' % source)
elif does_source_exist(self.information_source):
self.source.name = self.information_source
else:
raise STIXParserException("No source to attribute data to.")
self.source_instance.reference = reference
self.source.instances.append(self.source_instance)
if make_event:
title = "STIX Document %s" % self.package.id_
event_type = EventTypes.INTEL_SHARING
date = datetime.datetime.now()
description = str(date)
if self.package.incidents:
incdnt = self.package.incidents[0]
title = incdnt.title
if incdnt.description:
description = incdnt.description
if isinstance(description, StructuredText):
try:
description = description.to_dict()
except:
pass
if incdnt.short_description in EventTypes.values():
event_type = incdnt.short_description
elif incdnt.categories and incdnt.categories[0].value:
event_type = get_crits_event_type(
incdnt.categories[0].value)
else: #package contains no incidents
header = self.package.stix_header
if isinstance(header, STIXHeader):
if header.title:
title = header.title
if header.package_intents:
try:
stix_type = str(header.package_intents[0])
event_type = get_crits_event_type(stix_type)
except:
pass
if header.description:
description = header.description
if isinstance(description, StructuredText):
try:
description = description.to_dict()
except:
pass
if self.preview:
self.imported[self.package.id_] = ('Event', None, title)
else:
res = add_new_event(title, description, event_type,
self.source.name,
self.source_instance.method,
self.source_instance.reference, date,
self.source_instance.analyst)
self.parsed.append(self.package.id_)
if res['success']:
self.event = res['object']
self.imported[self.package.id_] = ('Event',
res['object'].id, title
or res['object'].id)
self.updates[res['object'].id] = res['object']
# Get relationships to the Event
if self.package.incidents:
incdnts = self.package.incidents
for rel in getattr(incdnts[0], 'related_indicators',
()):
if rel.relationship or rel.confidence:
r = rel.relationship.value or RelationshipTypes.RELATED_TO
c = getattr(rel.confidence.value, 'value',
'Unknown')
self.event_rels[rel.item.idref] = (r, c)
else:
self.failed.append((res['message'], "Event (%s)" % title,
self.package.id_))
if self.package.indicators:
self.parse_indicators(self.package.indicators)
if self.package.observables and self.package.observables.observables:
self.parse_observables(self.package.observables.observables)
if self.package.threat_actors:
self.parse_threat_actors(self.package.threat_actors)
def parse_stix(self, reference='', make_event=False, source=''):
"""
Parse the document.
:param reference: The reference to the data.
:type reference: str
:param make_event: Whether or not to create an Event for this document.
:type make_event: bool
:param source: The source of this document.
:type source: str
:raises: :class:`taxii_service.parsers.STIXParserException`
Until we have a way to map source strings in a STIX document to
a source in CRITs, we are being safe and using the source provided
as the true source.
"""
with closing(StringIO(self.data)) as f:
try:
try:
self.package = STIXPackage.from_xml(f)
if not self.package:
raise STIXParserException("STIX package failure")
except UnsupportedVersionError:
v = stix.__version__
v = v[0:-2] if len(v.split('.')) > 3 else v
updated = ramrod.update(f, to_=v)
doc = updated.document.as_stringio()
self.package = STIXPackage.from_xml(doc)
except Exception as e:
msg = "Failed to create STIX/CybOX from XML"
self.failed.append((e.message,
"STIX Package (%s)" % msg,
'')) # note for display in UI
return
if not self.preview:
self.stix_version = self.package.version
stix_header = self.package.stix_header
if stix_header and stix_header.information_source and stix_header.information_source.identity:
self.information_source = stix_header.information_source.identity.name
if self.information_source:
info_src = "STIX Source: %s" % self.information_source
if not reference:
reference = ''
else:
reference += ", "
reference += info_src
if source:
if does_source_exist(source):
self.source.name = source
else:
raise STIXParserException('Source "%s" does not exist in CRITs.' % source)
elif does_source_exist(self.information_source):
self.source.name = self.information_source
else:
raise STIXParserException("No source to attribute data to.")
self.source_instance.reference = reference
self.source.instances.append(self.source_instance)
if make_event:
title = "STIX Document %s" % self.package.id_
event_type = EventTypes.INTEL_SHARING
date = datetime.datetime.now()
description = str(date)
if self.package.incidents:
incdnt = self.package.incidents[0]
title = incdnt.title
if incdnt.description:
description = incdnt.description
if isinstance(description, StructuredText):
try:
description = description.to_dict()
except:
pass
if incdnt.short_description in EventTypes.values():
event_type = incdnt.short_description
elif incdnt.categories and incdnt.categories[0].value:
event_type = get_crits_event_type(incdnt.categories[0].value)
else: #package contains no incidents
header = self.package.stix_header
if isinstance(header, STIXHeader):
if header.title:
title = header.title
if header.package_intents:
try:
stix_type = str(header.package_intents[0])
event_type = get_crits_event_type(stix_type)
except:
pass
if header.description:
description = header.description
if isinstance(description, StructuredText):
try:
description = description.to_dict()
except:
pass
if self.preview:
self.imported[self.package.id_] = ('Event',
None,
title)
else:
res = add_new_event(title,
description,
event_type,
self.source.name,
self.source_instance.method,
self.source_instance.reference,
date,
self.source_instance.analyst)
self.parsed.append(self.package.id_)
if res['success']:
self.event = res['object']
self.imported[self.package.id_] = ('Event',
res['object'].id,
title or res['object'].id)
self.updates[res['object'].id] = res['object']
# Get relationships to the Event
if self.package.incidents:
incdnts = self.package.incidents
for rel in getattr(incdnts[0], 'related_indicators', ()):
if rel.relationship or rel.confidence:
r = rel.relationship.value or RelationshipTypes.RELATED_TO
c = getattr(rel.confidence.value, 'value', 'Unknown')
self.event_rels[rel.item.idref] = (r, c)
else:
self.failed.append((res['message'],
"Event (%s)" % title,
self.package.id_))
if self.package.indicators:
self.parse_indicators(self.package.indicators)
if self.package.observables and self.package.observables.observables:
self.parse_observables(self.package.observables.observables)
if self.package.threat_actors:
self.parse_threat_actors(self.package.threat_actors)
