def generate_stix_objects(self):
incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid)
incident = Incident(id_=incident_id, title=self.misp_event.info)
self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp)
threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None)
if threat_level_name:
threat_level_s = "Event Threat Level: {}".format(threat_level_name)
self.add_journal_entry(incident, threat_level_s)
Tags = {}
event_tags = self.misp_event.Tag
if event_tags:
Tags['event'] = event_tags
self.set_tag(incident, event_tags)
external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(str(self.misp_event.analysis), None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
self.set_tlp(incident, self.misp_event.distribution, event_tags)
self.set_src(incident, self.misp_event.Org.get('name'))
self.orgc_name = self.misp_event.Orgc.get('name')
self.set_rep(incident)
self.ttps = []
self.resolve_attributes(incident, self.misp_event.attributes, Tags)
self.resolve_objects(incident, Tags)
self.add_related_indicators(incident)
return incident
def generateSTIXObjects(event):
incident = Incident(id_=namespace[1] + ":incident-" +
event["Event"]["uuid"],
title=event["Event"]["info"])
setDates(incident, event["Event"]["date"],
int(event["Event"]["publish_timestamp"]))
threat_level_name = threat_level_mapping.get(
event["Event"]["threat_level_id"], None)
if threat_level_name:
addJournalEntry(incident, "Event Threat Level: " + threat_level_name)
ttps = []
eventTags = event["Event"].get("Tag", [])
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"], eventTags)
setSrc(incident, event["Event"]["Org"]["name"])
orgc_name = event["Event"]["Orgc"]["name"]
setRep(incident, orgc_name)
setTag(incident, eventTags)
resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags,
orgc_name)
resolveObjects(incident, ttps, event["Event"]["Object"], eventTags,
orgc_name)
return [incident, ttps]
def generateSTIXObjects(event):
incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
ttps = []
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"])
setOrg(incident, event["Event"]["org"])
resolveAttributes(incident, ttps, event["Attribute"])
return [incident, ttps]
def generateSTIXObjects(event):
incident = Incident(id_=namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
ttps = []
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"])
setOrg(incident, event["Event"]["org"])
resolveAttributes(incident, ttps, event["Attribute"])
return [incident, ttps]
def json2incident(config, src, dest, endpoint, json_, crits_id):
'''transform crits events into stix incidents with related indicators'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'events':
endpoint_trans = {'Email': 'emails', 'IP': 'ips',
'Sample': 'samples', 'Domain': 'domains',
'Indicator': 'indicators'}
status_trans = {'New': 'New', 'In Progress': 'Open',
'Analyzed': 'Closed', 'Deprecated': 'Rejected'}
incident_ = Incident()
incident_.id = xmlns_name + ':incident-' + crits_id
incident_.id_ = incident_.id
incident_.title = json_['title']
incident_.description = json_['description']
incident_.status = status_trans[json_['status']]
# incident_.confidence = json_['confidence']['rating'].capitalize()
for r in json_['relationships']:
if r.get('relationship', None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type='event relationship type '
+ r.get('relationship', 'None'), id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
related_observable = RelatedObservable(Observable(idref=xmlns_name + ':observable-' + r['value']))
incident_.related_observables.append(related_observable)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value']))
incident_.related_indicators.append(related_indicator)
elif r['type'] == 'Event':
related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
incident_.related_incidents.append(related_incident)
return(incident_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return(None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits', src_obj='event', id_=crits_id,
dest_type='stix', dest_obj='incident'))
config['logger'].exception(e)
return(None)
def buildIncident(input_dict):
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
if input_dict['confidence']:
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
if input_dict['responder']:
incident.responders = input_dict['responder']
if input_dict['coordinator']:
incident.coordinators = input_dict['coordinator']
if input_dict['intent']:
incident.intended_effects = input_dict['intent']
if input_dict['discovery']:
incident.discovery_methods = input_dict['discovery']
if input_dict['status']:
incident.status = input_dict['status']
if input_dict['compromise']:
incident.security_compromise = input_dict['compromise']
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
if input_dict['asset']:
asset = AffectedAsset()
asset.type_ = input_dict['asset']
incident.add_affected_asset (asset)
# add the victim
incident.add_victim (input_dict['organization'])
return incident
def json2incident(config, src, dest, endpoint, json_, crits_id):
'''transform crits events into stix incidents with related indicators'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'events':
endpoint_trans = {
'Email': 'emails',
'IP': 'ips',
'Sample': 'samples',
'Domain': 'domains',
'Indicator': 'indicators'
}
status_trans = {
'New': 'New',
'In Progress': 'Open',
'Analyzed': 'Closed',
'Deprecated': 'Rejected'
}
incident_ = Incident()
incident_.id = xmlns_name + ':incident-' + crits_id
incident_.id_ = incident_.id
incident_.title = json_['title']
incident_.description = json_['description']
incident_.status = status_trans[json_['status']]
# incident_.confidence = json_['confidence']['rating'].capitalize()
for r in json_['relationships']:
if r.get('relationship',
None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits',
obj_type='event relationship type ' +
r.get('relationship', 'None'),
id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
related_observable = RelatedObservable(
Observable(idref=xmlns_name + ':observable-' +
r['value']))
incident_.related_observables.append(related_observable)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(
Indicator(idref=xmlns_name + ':indicator-' +
r['value']))
incident_.related_indicators.append(related_indicator)
elif r['type'] == 'Event':
related_incident = RelatedIncident(
Incident(idref=xmlns_name + ':incident-' + r['value']))
incident_.related_incidents.append(related_incident)
return (incident_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return (None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits',
src_obj='event',
id_=crits_id,
dest_type='stix',
dest_obj='incident'))
config['logger'].exception(e)
return (None)