def isight_process_alert_content_element(a_json): """ create pySightAlert Instance of the json and makes all the mapping :param a_json: :type a_json: """ try: # get a misp instance per threat this_misp_instance = get_misp_instance() # without a MISP instance this does not make sense if this_misp_instance is False: raise ValueError("no MISP instance found") threadLimiter.acquire() # logger.debug("max number %s current number: ", threadLimiter._initial_value, ) # logger.debug(p_json) # write it to file # parsing of json to the pySightReport isight_report_instance = pySightReport(a_json) # This comment will be added to every attribute for reference auto_comment = "pySightMisp " + (isight_report_instance.reportId) f = open("reports/" + isight_report_instance.reportId, 'a') f.write(json.dumps(a_json, sort_keys=True, indent=4, separators=(',', ': '))) f.close() # create a MISP event FIXME: Not used # has_previous_event = True PySight_settings.logger.debug("checking for previous events with report ID %s", isight_report_instance.reportId) event = misp_check_for_previous_events(this_misp_instance, isight_report_instance) if not event: PySight_settings.logger.error("no event! need to create a new one") else: # ataching the data to the previously found event if not is_map_alert_to_event(this_misp_instance, event, isight_report_instance, auto_comment): PySight_settings.logger.error("Something went wrong with event mapping") # reset the instance afterwards isight_report_instance = None # release the limiter threadLimiter.release() except AttributeError as e: sys, traceback = error_handling(e, a_string="Attribute Error") return False except TypeError as e: sys, traceback = error_handling(e, a_string="Type Error:") return False except Exception as e: sys, traceback = error_handling(e, a_string="General Error:") return False
def process_isight_indicator(isight_json, event_tags, t_semaphore, t_lock): """ Create a pySightAlert instance of the json and make all the mappings :param isight_json: :type isight_json: """ # Acquire a semaphore (decrease the counter in the semaphore). t_semaphore.acquire() PySight_settings.logger.debug( "Starting thread number %s out of max. %s threads", threading.active_count(), PySight_settings.NUMBER_THREADS) PySight_settings.logger.debug('Processing report %s', isight_json['reportId']) try: # Get a MISP instance per thread this_misp_instance = get_misp_instance() # Without a MISP instance this does not make sense if this_misp_instance is False: raise ValueError("No MISP instance found.") # Parse the FireEye iSight report isight_report_instance = pySightReport(isight_json) # If in DEBUG mode, write the iSight reports to a file if PySight_settings.DEBUG_MODE: # Create the "reports" subdirectory for storing iSight reports, if it doesn't exist already if not os.path.exists("reports"): os.makedirs("reports") f = open("reports/" + isight_report_instance.reportId, 'a') # Write the iSight report into the "reports" subdirectory. f.write( json.dumps(isight_json, sort_keys=True, indent=4, separators=(',', ': '))) f.close() # Lock multithreading until a MISP event is created # Otherwise, parallel threads might create separate MISP events for one iSight report t_lock.acquire() # Check whether we already have an event for this reportID. PySight_settings.logger.debug( 'Checking for existing event with report ID %s', isight_report_instance.reportId) event_id = misp_check_for_previous_event(this_misp_instance, isight_report_instance) if not event_id: # Create a new MISP event PySight_settings.logger.debug( 'No event found for report ID %s -- will create a new one', isight_report_instance.reportId) create_misp_event(this_misp_instance, isight_report_instance, event_tags) t_lock.release() else: t_lock.release() # Add the data to the found event event = this_misp_instance.get_event(event_id, pythonify=True) update_misp_event(this_misp_instance, event, isight_report_instance) # Reset the iSight report instance when done. isight_report_instance = None except AttributeError as e_AttributeError: sys, traceback = error_handling(e_AttributeError, a_string="Attribute Error") t_semaphore.release() return False except TypeError as e_TypeError: sys, traceback = error_handling(e_TypeError, a_string="Type Error:") t_semaphore.release() return False except Exception as e_Exception: sys, traceback = error_handling(e_Exception, a_string="General Error:") t_semaphore.release() return False t_semaphore.release()
def process_isight_indicator(a_json): """ Create a pySightAlert instance of the json and make all the mappings :param a_json: :type a_json: """ try: # Get a MISP instance per thread this_misp_instance = get_misp_instance() print('********', this_misp_instance, '*******') # Without a MISP instance this does not make sense if this_misp_instance is False: raise ValueError("No MISP instance found.") # Acquire a semaphore (decrease the counter in the semaphore). if PySight_settings.use_threading: thread_limiter.acquire() # PySight_settings.logger.debug("max number %s current number: ", thread_limiter._initial_value, ) # Parse the FireEye iSight report isight_report_instance = pySightReport(a_json) # If in DEBUG mode, write the iSight reports to a file. if PySight_settings.debug_mode: # Create the "reports" subdirectory for storing iSight reports, if it doesn't exist already. if not os.path.exists("reports"): os.makedirs("reports") f = open("reports/" + isight_report_instance.reportId, 'a') # Write the iSight report into the "reports" subdirectory. f.write( json.dumps(a_json, sort_keys=True, indent=4, separators=(',', ': '))) f.close() # Check whether we already have an event for this reportID. PySight_settings.logger.debug( 'Checking for existing event with report ID %s', isight_report_instance.reportId) event_id = misp_check_for_previous_event(this_misp_instance, isight_report_instance) if not event_id: # Create a new MISP event PySight_settings.logger.debug( 'No event found for report ID %s -- will create a new one', isight_report_instance.reportId) print('***create new MISP event****') create_misp_event(this_misp_instance, isight_report_instance) else: # Add the data to the found event event = this_misp_instance.get_event(event_id, pythonify=True) update_misp_event(this_misp_instance, event, isight_report_instance) # Reset the iSight report instance when done. isight_report_instance = None # Release the semaphore (increase the counter in the semaphore). if PySight_settings.use_threading: thread_limiter.release() except AttributeError as e_AttributeError: sys, traceback = error_handling(e_AttributeError, a_string="Attribute Error") return False except TypeError as e_TypeError: sys, traceback = error_handling(e_TypeError, a_string="Type Error:") return False except Exception as e_Exception: sys, traceback = error_handling(e_Exception, a_string="General Error:") return False