def json2indicator(config, src, dest, endpoint, json_, crits_id): '''transform crits indicators into stix indicators with embedded cybox observable composition''' try: set_id_method(IDGenerator.METHOD_UUID) xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name'] set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) if endpoint == 'indicators': endpoint_trans = {'Email': 'emails', 'IP': 'ips', 'Sample': 'samples', 'Domain': 'domains', 'Indicator': 'indicators', 'Event': 'events'} if json_.get('type', None) not in ['Reference', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='indicator type ' + json_.get('type', 'None'), id_=crits_id)) return(None) indicator_ = Indicator() indicator_.id = xmlns_name + ':indicator-' + crits_id indicator_.id_ = indicator_.id indicator_.title = json_['value'] indicator_.confidence = json_['confidence']['rating'].capitalize() indicator_.add_indicator_type('Malware Artifacts') observable_composition_ = ObservableComposition() observable_composition_.operator = \ indicator_.observable_composition_operator for r in json_['relationships']: if r.get('relationship', None) not in ['Contains', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='indicator relationship type ' + r.get('relationship', 'None'), id_=crits_id)) continue if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']: observable_ = Observable() observable_.idref = xmlns_name + ':observable-' + r['value'] observable_composition_.add(observable_) elif r['type'] == 'Indicator': related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value'])) indicator_.related_indicators.append(related_indicator) # stix indicators don't support related_incident :-( # elif r['type'] == 'Event': # related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value'])) # indicator_.related_incidents.append(related_incident) indicator_.observable = Observable() indicator_.observable.observable_composition = \ observable_composition_ return(indicator_) else: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type=endpoint, id_=crits_id)) return(None) except: e = sys.exc_info()[0] config['logger'].error(log.log_messages['obj_convert_error'].format( src_type='crits', src_obj='indicator', id_=crits_id, dest_type='stix', dest_obj='indicator')) config['logger'].exception(e) return(None)
def json2indicator(config, src, dest, endpoint, json_, crits_id): '''transform crits indicators into stix indicators with embedded cybox observable composition''' try: set_id_method(IDGenerator.METHOD_UUID) xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name'] set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) if endpoint == 'indicators': endpoint_trans = { 'Email': 'emails', 'IP': 'ips', 'Sample': 'samples', 'Domain': 'domains', 'Indicator': 'indicators', 'Event': 'events' } if json_.get('type', None) not in ['Reference', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='indicator type ' + json_.get('type', 'None'), id_=crits_id)) return (None) indicator_ = Indicator() indicator_.id = xmlns_name + ':indicator-' + crits_id indicator_.id_ = indicator_.id indicator_.title = json_['value'] indicator_.confidence = json_['confidence']['rating'].capitalize() indicator_.add_indicator_type('Malware Artifacts') observable_composition_ = ObservableComposition() observable_composition_.operator = \ indicator_.observable_composition_operator for r in json_['relationships']: if r.get('relationship', None) not in ['Contains', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='indicator relationship type ' + r.get('relationship', 'None'), id_=crits_id)) continue if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']: observable_ = Observable() observable_.idref = xmlns_name + ':observable-' + r['value'] observable_composition_.add(observable_) elif r['type'] == 'Indicator': related_indicator = RelatedIndicator( Indicator(idref=xmlns_name + ':indicator-' + r['value'])) indicator_.related_indicators.append(related_indicator) # stix indicators don't support related_incident :-( # elif r['type'] == 'Event': # related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value'])) # indicator_.related_incidents.append(related_incident) indicator_.observable = Observable() indicator_.observable.observable_composition = \ observable_composition_ return (indicator_) else: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type=endpoint, id_=crits_id)) return (None) except: e = sys.exc_info()[0] config['logger'].error(log.log_messages['obj_convert_error'].format( src_type='crits', src_obj='indicator', id_=crits_id, dest_type='stix', dest_obj='indicator')) config['logger'].exception(e) return (None)