def generateSTIXObjects(event):
incident = Incident(id_=namespace[1] + ":incident-" +
event["Event"]["uuid"],
title=event["Event"]["info"])
setDates(incident, event["Event"]["date"],
int(event["Event"]["publish_timestamp"]))
threat_level_name = threat_level_mapping.get(
event["Event"]["threat_level_id"], None)
if threat_level_name:
addJournalEntry(incident, "Event Threat Level: " + threat_level_name)
ttps = []
eventTags = event["Event"].get("Tag", [])
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"], eventTags)
setSrc(incident, event["Event"]["Org"]["name"])
orgc_name = event["Event"]["Orgc"]["name"]
setRep(incident, orgc_name)
setTag(incident, eventTags)
resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags,
orgc_name)
resolveObjects(incident, ttps, event["Event"]["Object"], eventTags,
orgc_name)
return [incident, ttps]
def generate_stix_objects(self):
incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid)
incident = Incident(id_=incident_id, title=self.misp_event.info)
self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp)
threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None)
if threat_level_name:
threat_level_s = "Event Threat Level: {}".format(threat_level_name)
self.add_journal_entry(incident, threat_level_s)
Tags = {}
event_tags = self.misp_event.Tag
if event_tags:
Tags['event'] = event_tags
self.set_tag(incident, event_tags)
external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(str(self.misp_event.analysis), None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
self.set_tlp(incident, self.misp_event.distribution, event_tags)
self.set_src(incident, self.misp_event.Org.get('name'))
self.orgc_name = self.misp_event.Orgc.get('name')
self.set_rep(incident)
self.ttps = []
self.resolve_attributes(incident, self.misp_event.attributes, Tags)
self.resolve_objects(incident, Tags)
self.add_related_indicators(incident)
return incident
def status(self, value):
if not value:
self._status = None
elif isinstance(value, VocabString):
self._status = value
else:
self._status = IncidentStatus(value=value)
def generateSTIXObjects(event):
incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
ttps = []
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"])
setOrg(incident, event["Event"]["org"])
resolveAttributes(incident, ttps, event["Attribute"])
return [incident, ttps]