def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags): dt = datetime.now() event = MISPEvent() event.info = dt.strftime("%Y%m%d ") + 'TIE' event.publish_timestamp = dt.strftime("%s") event.timestamp = dt.strftime("%s") event['timestamp'] = dt.strftime("%s") event.analysis = 2 event.published = conf.event_published orgc = MISPOrganisation() orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid})) event.orgc = orgc event.threat_level_id = conf.event_base_thread_level event.date = dt event['uuid'] = str(uuid.uuid1()) if len(tags) > 0: event['Tag'] = tags attr_hashes = [] for key, attr in deduplicated_observations.items(): misp_attr = MISPAttribute() misp_attr.timestamp = dt.strftime("%s") misp_attr['timestamp'] = dt.strftime("%s") misp_attr.type = get_Attribute_Type(attr) misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type) if 'c2-server' in attr['categories'] and attr_tags.c2tags: misp_attr['Tag'] = attr_tags.c2tags if 'malware' in attr['categories'] and attr_tags.malwaretags: misp_attr['Tag'] = attr_tags.malwaretags if 'espionage' in attr['categories'] and attr_tags.espionagetags: misp_attr['Tag'] = attr_tags.espionagetags if 'bot' in attr['categories'] and attr_tags.bottags: misp_attr['Tag'] = attr_tags.bottags if 'whitelist' in attr['categories'] and attr_tags.whitelisttags: misp_attr['Tag'] = attr_tags.whitelisttags if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags: misp_attr['Tag'] = attr_tags.cybercrimetags if 'phishing' in attr['categories'] and attr_tags.phishingtags: misp_attr['Tag'] = attr_tags.phishingtags misp_attr.category = get_Attribute_Category(attr) if conf.attr_to_ids and attr[ 'min_confidence'] >= conf.attr_to_ids_threshold: misp_attr.to_ids = True else: misp_attr.to_ids = False misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \ ' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \ ' severity: ' + str(attr['max_severity']) + \ ' confidence: ' + str(attr['max_confidence']) misp_attr.edited = False event.add_attribute(**(misp_attr.to_dict())) attr_hashes.append([ hashlib.md5(attr['value'].encode("utf-8")).hexdigest(), event['uuid'] ]) event.edited = False return event, attr_hashes
def ip_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.org = "RST Cloud" attribute.type = type if value['ip']: if value['ip']['v4']: attribute.value = value['ip']['v4'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv4'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv4'])) else: if value['ip']['v6']: attribute.value = value['ip']['v6'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv6'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv6'])) attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num'])) attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['asn']['cloud']: attribute.add_tag("rstcloud:cloudprovider=" + str(value['asn']['cloud'])) if value['asn']['domains']: attribute.add_tag("rstcloud:number_of_hosted_domains=" + str(value['asn']['domains'])) attribute.add_tag("rstcloud:org=" + str(value['asn']['org'])) attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp'])) attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city'])) attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region'])) attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute
def domain_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.type = type attribute.value = value['domain'] attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['resolved'] and value['resolved']['whois']: if value['resolved']['whois']['age'] > 0: attribute.add_tag("rstcloud:whois:created=" + str(value['resolved']['whois']['created'])) attribute.add_tag("rstcloud:whois:updated=" + str(value['resolved']['whois']['updated'])) attribute.add_tag("rstcloud:whois:expires=" + str(value['resolved']['whois']['expires'])) attribute.add_tag("rstcloud:whois:age=" + str(value['resolved']['whois']['age'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrar'] != 'unknown': attribute.add_tag("rstcloud:whois:registrar=" + str(value['resolved']['whois']['registrar'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrant'] != 'unknown': attribute.add_tag("rstcloud:whois:registrant=" + str(value['resolved']['whois']['registrant'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute