def add_related_incidents_item(related_incidents_item, incident):
# assuming only one id
rIncident = Incident()
externalID = ExternalID()
externalID.value = related_incidents_item
externalID.source = "VERIS"
rIncident.add_external_id(externalID)
incident.related_incidents.append(rIncident)
def generateSTIXObjects(event):
incident = Incident(id_=namespace[1] + ":incident-" +
event["Event"]["uuid"],
title=event["Event"]["info"])
setDates(incident, event["Event"]["date"],
int(event["Event"]["publish_timestamp"]))
threat_level_name = threat_level_mapping.get(
event["Event"]["threat_level_id"], None)
if threat_level_name:
addJournalEntry(incident, "Event Threat Level: " + threat_level_name)
ttps = []
eventTags = event["Event"].get("Tag", [])
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"], eventTags)
setSrc(incident, event["Event"]["Org"]["name"])
orgc_name = event["Event"]["Orgc"]["name"]
setRep(incident, orgc_name)
setTag(incident, eventTags)
resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags,
orgc_name)
resolveObjects(incident, ttps, event["Event"]["Object"], eventTags,
orgc_name)
return [incident, ttps]
def generate_stix_objects(self):
incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid)
incident = Incident(id_=incident_id, title=self.misp_event.info)
self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp)
threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None)
if threat_level_name:
threat_level_s = "Event Threat Level: {}".format(threat_level_name)
self.add_journal_entry(incident, threat_level_s)
Tags = {}
event_tags = self.misp_event.Tag
if event_tags:
Tags['event'] = event_tags
self.set_tag(incident, event_tags)
external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(str(self.misp_event.analysis), None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
self.set_tlp(incident, self.misp_event.distribution, event_tags)
self.set_src(incident, self.misp_event.Org.get('name'))
self.orgc_name = self.misp_event.Orgc.get('name')
self.set_rep(incident)
self.ttps = []
self.resolve_attributes(incident, self.misp_event.attributes, Tags)
self.resolve_objects(incident, Tags)
self.add_related_indicators(incident)
return incident
def generateSTIXObjects(event):
incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
ttps = []
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"])
setOrg(incident, event["Event"]["org"])
resolveAttributes(incident, ttps, event["Attribute"])
return [incident, ttps]
def update_with(self, update_obj, update_timestamp=True):
super(DBIncidentPatch, self).update_with(update_obj, update_timestamp)
self.categories = None
IncidentCategories.from_dict(update_obj.categories.to_dict(), self.categories)
if update_obj.time:
self.time = StixTime.from_dict(update_obj.time.to_dict())
self.coordinators = update_obj.coordinators
self.intended_effects = IntendedEffects()
self.discovery_methods = DiscoveryMethods()
IntendedEffects.from_dict(update_obj.intended_effects.to_dict(), self.intended_effects)
DiscoveryMethods.from_dict(update_obj.discovery_methods.to_dict(), self.discovery_methods)
self.external_ids = []
for ex_id in update_obj.external_ids:
self.external_ids.append(ExternalID(ex_id.value, ex_id.source))
def _w(cls, draft):
def drop_if_empty(val):
return val if val else None
target = wrapped_func(cls, draft)
target.categories = cleanstrings(draft.get('categories'))
for key, value in draft.get('time').iteritems():
DBIncidentPatch.append_config_timezone(value)
target.time = StixTime()
StixTime.from_dict(draft.get('time'), target.time)
target.external_ids = []
for ex_id in draft.get('external_ids', []):
target.external_ids.append(ExternalID(ex_id['id'], ex_id['source']))
target.coordinators = [EdgeInformationSource.from_draft(drop_if_empty(coordinator)) for coordinator in
draft.get('coordinators', [])]
return target
def convert_file(ifn, ofn, vcdb):
global cve_info
global targets_item
cve_info = []
targets_item = None
with open(ifn) as json_data:
veris_item = json.load(json_data)
json_data.close()
schema_version_item = veris_item.get("schema_version")
if not schema_version_item:
error("The 'schema_version' item is required")
elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"):
error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item)
return
pkg = STIXPackage()
action_item = veris_item.get('action')
if not action_item:
error("The 'action' item is required")
else:
add_action_item(action_item, pkg)
add_cve_info(pkg)
actor_item = veris_item.get('actor')
if not actor_item:
error("The 'actor' item is required")
else:
add_actor_item(actor_item, pkg)
incident = Incident()
pkg.add_incident(incident)
asset_item = veris_item.get('asset')
if not asset_item:
error("The 'asset' item is required")
else:
attribute_item = veris_item.get('attribute')
add_asset_item(asset_item, attribute_item, incident)
# added as 1.3
campaign_id_item = veris_item.get('campaign_id')
if campaign_id_item:
add_campaign_item(campaign_id_item, pkg)
confidence_item = veris_item.get('confidence')
if confidence_item:
add_confidence_item(confidence_item, incident)
#control_failure - not found in data
if veris_item.get('control_failure'):
warn("'control_failure' item not handled, yet")
corrective_action_item = veris_item.get('corrective_action')
cost_corrective_action_item = veris_item.get('cost_corrective_action')
if corrective_action_item or cost_corrective_action_item:
add_coa_items(corrective_action_item, cost_corrective_action_item, pkg)
discovery_method_item = veris_item.get('discovery_method')
if not discovery_method_item:
error("The 'discovery_method' item is required")
else:
incident.add_discovery_method(map_discovey_method(discovery_method_item))
discovery_notes_item = veris_item.get('discovery_notes')
if discovery_notes_item:
warn("'discovery_notes' item not handled yet")
impact_item = veris_item.get('impact')
if impact_item:
add_impact_item(impact_item, incident)
incident_id_item = veris_item.get('incident_id')
if not incident_id_item:
error("The 'incident_id' item is required")
else:
external_id = ExternalID()
external_id.value = incident_id_item
external_id.source = "VERIS"
incident.add_external_id(external_id)
notes_item = veris_item.get('notes')
if notes_item:
pkg.stix_header = STIXHeader()
pkg.stix_header.title = "Notes: " + notes_item
# plus item for records from VCDB have some known useful information
if vcdb:
plus_item = veris_item.get('plus')
if plus_item:
add_plus_item(plus_item, incident, pkg)
# removed as of 1.3 - see campaign_id
# related_incidents_item = veris_item.get('related_incidents')
# if related_incidents_item:
# add_related_incidents_item(related_incidents_item, incident)
security_incident_item = veris_item.get('security_incident')
if not security_incident_item:
error("The 'security_incident' item is required")
else:
incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item)
reference_item = veris_item.get('reference')
source_id_item = veris_item.get('source_id')
if source_id_item or reference_item:
add_information_source_items(reference_item, source_id_item, schema_version_item, incident)
summary_item = veris_item.get('summary')
if summary_item:
incident.title = summary_item
#targeted_item = veris_item.get('targeted')
#if targeted_item:
timeline_item = veris_item.get('timeline')
if not timeline_item:
error("The 'timeline' item is required")
else:
add_timeline_item(timeline_item, incident)
victim_item = veris_item.get('victim')
if victim_item:
add_victim_item(victim_item, incident)
add_related(pkg)
if not ofn:
stixXML = sys.stdout
else:
stixXML = open(ofn, 'wb')
stixXML.write(pkg.to_xml())
stixXML.close()
