def isight_process_alert_content_element(a_json):
"""
create pySightAlert Instance of the json and makes all the mapping
:param a_json:
:type a_json:
"""
try:
# get a misp instance per threat
this_misp_instance = get_misp_instance()
# without a MISP instance this does not make sense
if this_misp_instance is False:
raise ValueError("no MISP instance found")
threadLimiter.acquire()
# logger.debug("max number %s current number: ", threadLimiter._initial_value, )
# logger.debug(p_json)
# write it to file
# parsing of json to the pySightReport
isight_report_instance = pySightReport(a_json)
# This comment will be added to every attribute for reference
auto_comment = "pySightMisp " + (isight_report_instance.reportId)
f = open("reports/" + isight_report_instance.reportId, 'a')
f.write(json.dumps(a_json, sort_keys=True, indent=4, separators=(',', ': ')))
f.close()
# create a MISP event FIXME: Not used
# has_previous_event = True
PySight_settings.logger.debug("checking for previous events with report ID %s", isight_report_instance.reportId)
event = misp_check_for_previous_events(this_misp_instance, isight_report_instance)
if not event:
PySight_settings.logger.error("no event! need to create a new one")
else:
# ataching the data to the previously found event
if not is_map_alert_to_event(this_misp_instance, event, isight_report_instance, auto_comment):
PySight_settings.logger.error("Something went wrong with event mapping")
# reset the instance afterwards
isight_report_instance = None
# release the limiter
threadLimiter.release()
except AttributeError as e:
sys, traceback = error_handling(e, a_string="Attribute Error")
return False
except TypeError as e:
sys, traceback = error_handling(e, a_string="Type Error:")
return False
except Exception as e:
sys, traceback = error_handling(e, a_string="General Error:")
return False
def process_isight_indicator(isight_json, event_tags, t_semaphore, t_lock):
"""
Create a pySightAlert instance of the json and make all the mappings
:param isight_json:
:type isight_json:
"""
# Acquire a semaphore (decrease the counter in the semaphore).
t_semaphore.acquire()
PySight_settings.logger.debug(
"Starting thread number %s out of max. %s threads",
threading.active_count(), PySight_settings.NUMBER_THREADS)
PySight_settings.logger.debug('Processing report %s',
isight_json['reportId'])
try:
# Get a MISP instance per thread
this_misp_instance = get_misp_instance()
# Without a MISP instance this does not make sense
if this_misp_instance is False:
raise ValueError("No MISP instance found.")
# Parse the FireEye iSight report
isight_report_instance = pySightReport(isight_json)
# If in DEBUG mode, write the iSight reports to a file
if PySight_settings.DEBUG_MODE:
# Create the "reports" subdirectory for storing iSight reports, if it doesn't exist already
if not os.path.exists("reports"):
os.makedirs("reports")
f = open("reports/" + isight_report_instance.reportId, 'a')
# Write the iSight report into the "reports" subdirectory.
f.write(
json.dumps(isight_json,
sort_keys=True,
indent=4,
separators=(',', ': ')))
f.close()
# Lock multithreading until a MISP event is created
# Otherwise, parallel threads might create separate MISP events for one iSight report
t_lock.acquire()
# Check whether we already have an event for this reportID.
PySight_settings.logger.debug(
'Checking for existing event with report ID %s',
isight_report_instance.reportId)
event_id = misp_check_for_previous_event(this_misp_instance,
isight_report_instance)
if not event_id:
# Create a new MISP event
PySight_settings.logger.debug(
'No event found for report ID %s -- will create a new one',
isight_report_instance.reportId)
create_misp_event(this_misp_instance, isight_report_instance,
event_tags)
t_lock.release()
else:
t_lock.release()
# Add the data to the found event
event = this_misp_instance.get_event(event_id, pythonify=True)
update_misp_event(this_misp_instance, event,
isight_report_instance)
# Reset the iSight report instance when done.
isight_report_instance = None
except AttributeError as e_AttributeError:
sys, traceback = error_handling(e_AttributeError,
a_string="Attribute Error")
t_semaphore.release()
return False
except TypeError as e_TypeError:
sys, traceback = error_handling(e_TypeError, a_string="Type Error:")
t_semaphore.release()
return False
except Exception as e_Exception:
sys, traceback = error_handling(e_Exception, a_string="General Error:")
t_semaphore.release()
return False
t_semaphore.release()
def process_isight_indicator(a_json):
"""
Create a pySightAlert instance of the json and make all the mappings
:param a_json:
:type a_json:
"""
try:
# Get a MISP instance per thread
this_misp_instance = get_misp_instance()
print('********', this_misp_instance, '*******')
# Without a MISP instance this does not make sense
if this_misp_instance is False:
raise ValueError("No MISP instance found.")
# Acquire a semaphore (decrease the counter in the semaphore).
if PySight_settings.use_threading:
thread_limiter.acquire()
# PySight_settings.logger.debug("max number %s current number: ", thread_limiter._initial_value, )
# Parse the FireEye iSight report
isight_report_instance = pySightReport(a_json)
# If in DEBUG mode, write the iSight reports to a file.
if PySight_settings.debug_mode:
# Create the "reports" subdirectory for storing iSight reports, if it doesn't exist already.
if not os.path.exists("reports"):
os.makedirs("reports")
f = open("reports/" + isight_report_instance.reportId, 'a')
# Write the iSight report into the "reports" subdirectory.
f.write(
json.dumps(a_json,
sort_keys=True,
indent=4,
separators=(',', ': ')))
f.close()
# Check whether we already have an event for this reportID.
PySight_settings.logger.debug(
'Checking for existing event with report ID %s',
isight_report_instance.reportId)
event_id = misp_check_for_previous_event(this_misp_instance,
isight_report_instance)
if not event_id:
# Create a new MISP event
PySight_settings.logger.debug(
'No event found for report ID %s -- will create a new one',
isight_report_instance.reportId)
print('***create new MISP event****')
create_misp_event(this_misp_instance, isight_report_instance)
else:
# Add the data to the found event
event = this_misp_instance.get_event(event_id, pythonify=True)
update_misp_event(this_misp_instance, event,
isight_report_instance)
# Reset the iSight report instance when done.
isight_report_instance = None
# Release the semaphore (increase the counter in the semaphore).
if PySight_settings.use_threading:
thread_limiter.release()
except AttributeError as e_AttributeError:
sys, traceback = error_handling(e_AttributeError,
a_string="Attribute Error")
return False
except TypeError as e_TypeError:
sys, traceback = error_handling(e_TypeError, a_string="Type Error:")
return False
except Exception as e_Exception:
sys, traceback = error_handling(e_Exception, a_string="General Error:")
return False
