def add_related_incidents_item(related_incidents_item, incident): # assuming only one id rIncident = Incident() externalID = ExternalID() externalID.value = related_incidents_item externalID.source = "VERIS" rIncident.add_external_id(externalID) incident.related_incidents.append(rIncident)
def generateSTIXObjects(event): incident = Incident(id_=namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) threat_level_name = threat_level_mapping.get( event["Event"]["threat_level_id"], None) if threat_level_name: addJournalEntry(incident, "Event Threat Level: " + threat_level_name) ttps = [] eventTags = event["Event"].get("Tag", []) external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"], eventTags) setSrc(incident, event["Event"]["Org"]["name"]) orgc_name = event["Event"]["Orgc"]["name"] setRep(incident, orgc_name) setTag(incident, eventTags) resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags, orgc_name) resolveObjects(incident, ttps, event["Event"]["Object"], eventTags, orgc_name) return [incident, ttps]
def generate_stix_objects(self): incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid) incident = Incident(id_=incident_id, title=self.misp_event.info) self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp) threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None) if threat_level_name: threat_level_s = "Event Threat Level: {}".format(threat_level_name) self.add_journal_entry(incident, threat_level_s) Tags = {} event_tags = self.misp_event.Tag if event_tags: Tags['event'] = event_tags self.set_tag(incident, event_tags) external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(str(self.misp_event.analysis), None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) self.set_tlp(incident, self.misp_event.distribution, event_tags) self.set_src(incident, self.misp_event.Org.get('name')) self.orgc_name = self.misp_event.Orgc.get('name') self.set_rep(incident) self.ttps = [] self.resolve_attributes(incident, self.misp_event.attributes, Tags) self.resolve_objects(incident, Tags) self.add_related_indicators(incident) return incident
def generateSTIXObjects(event): incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"]) ttps = [] external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"]) setOrg(incident, event["Event"]["org"]) resolveAttributes(incident, ttps, event["Attribute"]) return [incident, ttps]
def update_with(self, update_obj, update_timestamp=True): super(DBIncidentPatch, self).update_with(update_obj, update_timestamp) self.categories = None IncidentCategories.from_dict(update_obj.categories.to_dict(), self.categories) if update_obj.time: self.time = StixTime.from_dict(update_obj.time.to_dict()) self.coordinators = update_obj.coordinators self.intended_effects = IntendedEffects() self.discovery_methods = DiscoveryMethods() IntendedEffects.from_dict(update_obj.intended_effects.to_dict(), self.intended_effects) DiscoveryMethods.from_dict(update_obj.discovery_methods.to_dict(), self.discovery_methods) self.external_ids = [] for ex_id in update_obj.external_ids: self.external_ids.append(ExternalID(ex_id.value, ex_id.source))
def _w(cls, draft): def drop_if_empty(val): return val if val else None target = wrapped_func(cls, draft) target.categories = cleanstrings(draft.get('categories')) for key, value in draft.get('time').iteritems(): DBIncidentPatch.append_config_timezone(value) target.time = StixTime() StixTime.from_dict(draft.get('time'), target.time) target.external_ids = [] for ex_id in draft.get('external_ids', []): target.external_ids.append(ExternalID(ex_id['id'], ex_id['source'])) target.coordinators = [EdgeInformationSource.from_draft(drop_if_empty(coordinator)) for coordinator in draft.get('coordinators', [])] return target
def convert_file(ifn, ofn, vcdb): global cve_info global targets_item cve_info = [] targets_item = None with open(ifn) as json_data: veris_item = json.load(json_data) json_data.close() schema_version_item = veris_item.get("schema_version") if not schema_version_item: error("The 'schema_version' item is required") elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"): error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item) return pkg = STIXPackage() action_item = veris_item.get('action') if not action_item: error("The 'action' item is required") else: add_action_item(action_item, pkg) add_cve_info(pkg) actor_item = veris_item.get('actor') if not actor_item: error("The 'actor' item is required") else: add_actor_item(actor_item, pkg) incident = Incident() pkg.add_incident(incident) asset_item = veris_item.get('asset') if not asset_item: error("The 'asset' item is required") else: attribute_item = veris_item.get('attribute') add_asset_item(asset_item, attribute_item, incident) # added as 1.3 campaign_id_item = veris_item.get('campaign_id') if campaign_id_item: add_campaign_item(campaign_id_item, pkg) confidence_item = veris_item.get('confidence') if confidence_item: add_confidence_item(confidence_item, incident) #control_failure - not found in data if veris_item.get('control_failure'): warn("'control_failure' item not handled, yet") corrective_action_item = veris_item.get('corrective_action') cost_corrective_action_item = veris_item.get('cost_corrective_action') if corrective_action_item or cost_corrective_action_item: add_coa_items(corrective_action_item, cost_corrective_action_item, pkg) discovery_method_item = veris_item.get('discovery_method') if not discovery_method_item: error("The 'discovery_method' item is required") else: incident.add_discovery_method(map_discovey_method(discovery_method_item)) discovery_notes_item = veris_item.get('discovery_notes') if discovery_notes_item: warn("'discovery_notes' item not handled yet") impact_item = veris_item.get('impact') if impact_item: add_impact_item(impact_item, incident) incident_id_item = veris_item.get('incident_id') if not incident_id_item: error("The 'incident_id' item is required") else: external_id = ExternalID() external_id.value = incident_id_item external_id.source = "VERIS" incident.add_external_id(external_id) notes_item = veris_item.get('notes') if notes_item: pkg.stix_header = STIXHeader() pkg.stix_header.title = "Notes: " + notes_item # plus item for records from VCDB have some known useful information if vcdb: plus_item = veris_item.get('plus') if plus_item: add_plus_item(plus_item, incident, pkg) # removed as of 1.3 - see campaign_id # related_incidents_item = veris_item.get('related_incidents') # if related_incidents_item: # add_related_incidents_item(related_incidents_item, incident) security_incident_item = veris_item.get('security_incident') if not security_incident_item: error("The 'security_incident' item is required") else: incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item) reference_item = veris_item.get('reference') source_id_item = veris_item.get('source_id') if source_id_item or reference_item: add_information_source_items(reference_item, source_id_item, schema_version_item, incident) summary_item = veris_item.get('summary') if summary_item: incident.title = summary_item #targeted_item = veris_item.get('targeted') #if targeted_item: timeline_item = veris_item.get('timeline') if not timeline_item: error("The 'timeline' item is required") else: add_timeline_item(timeline_item, incident) victim_item = veris_item.get('victim') if victim_item: add_victim_item(victim_item, incident) add_related(pkg) if not ofn: stixXML = sys.stdout else: stixXML = open(ofn, 'wb') stixXML.write(pkg.to_xml()) stixXML.close()