def create_misp_event(misp_instance, isight_report_instance): # No MISP event for this iSight report ID exists yet. # Alas, create a new MISP event. # Convert the publication date of the iSight report into a datetime object. if isight_report_instance.publishDate: date = datetime.datetime.fromtimestamp( isight_report_instance.publishDate) else: # If iSight doesn't provide a date, use today's date. date = datetime.datetime.now(datetime.timezone.utc) # Create a MISP event from the FireEye iSight report with the following parameters. print('****create new event*****') event = MISPEvent() event.distribution = 1 # This community only if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium': event.threat_level_id = 2 # Medium elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low': event.threat_level_id = 3 # Low else: event.threat_level_id = 4 # Unknown event.analysis = 2 # Completed event.info = "iSIGHT: " + isight_report_instance.title event.date = date # Push the event to the MISP server. my_event = misp_instance.add_event(event, pythonify=True) print("#######Push event to MISP server####", my_event) PySilo_settings.logger.debug('Created MISP event %s for iSight report %s', event, isight_report_instance.reportId) # Add default tags to the event. misp_instance.tag(my_event, 'Source:SILOBREAKER') #misp_instance.tag(my_event, 'basf:source="iSight"') misp_instance.tag(my_event, 'CTI feed: SILOBREAKER') misp_instance.tag(my_event, 'tlp:amber') misp_instance.tag(my_event, 'report id', isight_report_instance.Id) # Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes. #if 'Cyber Espionage' in isight_report_instance.ThreatScape: # VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in # MISP. External would be most likely. #misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"') #misp_instance.tag(my_event, 'veris:actor:motive="Espionage"') #if 'Hacktivism' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"') #if 'Critical Infrastructure' in isight_report_instance.ThreatScape: # misp_instance.tag(my_event, 'basf:technology="OT"') #if 'Cyber Physical' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'basf:technology="OT"') #if 'Cyber Crime' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"') update_misp_event(misp_instance, my_event, isight_report_instance)
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags): dt = datetime.now() event = MISPEvent() event.info = dt.strftime("%Y%m%d ") + 'TIE' event.publish_timestamp = dt.strftime("%s") event.timestamp = dt.strftime("%s") event['timestamp'] = dt.strftime("%s") event.analysis = 2 event.published = conf.event_published orgc = MISPOrganisation() orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid})) event.orgc = orgc event.threat_level_id = conf.event_base_thread_level event.date = dt event['uuid'] = str(uuid.uuid1()) if len(tags) > 0: event['Tag'] = tags attr_hashes = [] for key, attr in deduplicated_observations.items(): misp_attr = MISPAttribute() misp_attr.timestamp = dt.strftime("%s") misp_attr['timestamp'] = dt.strftime("%s") misp_attr.type = get_Attribute_Type(attr) misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type) if 'c2-server' in attr['categories'] and attr_tags.c2tags: misp_attr['Tag'] = attr_tags.c2tags if 'malware' in attr['categories'] and attr_tags.malwaretags: misp_attr['Tag'] = attr_tags.malwaretags if 'espionage' in attr['categories'] and attr_tags.espionagetags: misp_attr['Tag'] = attr_tags.espionagetags if 'bot' in attr['categories'] and attr_tags.bottags: misp_attr['Tag'] = attr_tags.bottags if 'whitelist' in attr['categories'] and attr_tags.whitelisttags: misp_attr['Tag'] = attr_tags.whitelisttags if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags: misp_attr['Tag'] = attr_tags.cybercrimetags if 'phishing' in attr['categories'] and attr_tags.phishingtags: misp_attr['Tag'] = attr_tags.phishingtags misp_attr.category = get_Attribute_Category(attr) if conf.attr_to_ids and attr[ 'min_confidence'] >= conf.attr_to_ids_threshold: misp_attr.to_ids = True else: misp_attr.to_ids = False misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \ ' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \ ' severity: ' + str(attr['max_severity']) + \ ' confidence: ' + str(attr['max_confidence']) misp_attr.edited = False event.add_attribute(**(misp_attr.to_dict())) attr_hashes.append([ hashlib.md5(attr['value'].encode("utf-8")).hexdigest(), event['uuid'] ]) event.edited = False return event, attr_hashes
def test_first_last_seen(self): me = MISPEvent() me.info = 'Test First and Last Seen' me.date = '2020.01.12' self.assertEqual(me.date.day, 12) me.add_attribute('ip-dst', '8.8.8.8', first_seen='06-21-1998', last_seen=1580213607.469571) self.assertEqual(me.attributes[0].first_seen.year, 1998) self.assertEqual(me.attributes[0].last_seen.year, 2020) now = datetime.now().astimezone() me.attributes[0].last_seen = now today = date.today() me.attributes[0].first_seen = today self.assertEqual(me.attributes[0].first_seen.year, today.year) self.assertEqual(me.attributes[0].last_seen, now)
def createEvent(eventName): mt = MaltegoTransform() mt.addUIMessage("[Info] Creating event with the name %s" % eventName) mispevent = MISPEvent() mispevent.analysis = MISP_ANALYSIS mispevent.date = datetime.now() mispevent.distribution = MISP_DISTRIBUTION mispevent.info = eventName mispevent.threat_level_id = MISP_THREAT mispevent.published = MISP_EVENT_PUBLISH event = misp.add_event(mispevent) eid = event['Event']['id'] einfo = event['Event']['info'] eorgc = event['Event']['orgc_id'] me = MaltegoEntity('maltego.MISPEvent', eid) me.addAdditionalFields('EventLink', 'EventLink', False, BASE_URL + '/events/view/' + eid) me.addAdditionalFields('Org', 'Org', False, eorgc) me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo) mt.addEntityToMessage(me) returnSuccess("event", eid, None, mt)
def create_misp_event(misp_instance, isight_report_instance, event_tags): # No MISP event for this iSight report ID exists yet. # Alas, create a new MISP event. # Convert the publication date of the iSight report into a datetime object. if isight_report_instance.publishDate: date = datetime.datetime.fromtimestamp( isight_report_instance.publishDate) else: # If iSight doesn't provide a date, use today's date. date = datetime.datetime.now(datetime.timezone.utc) # Create a MISP event from the FireEye iSight report with the following parameters. event = MISPEvent() event.distribution = 1 # This community only if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium': event.threat_level_id = 2 # Medium elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low': event.threat_level_id = 3 # Low else: event.threat_level_id = 4 # Unknown event.analysis = 2 # Completed event.info = "iSIGHT: " + isight_report_instance.title event.date = date # Push the event to the MISP server. my_event = misp_instance.add_event(event, pythonify=True) PySight_settings.logger.debug('Created MISP event %s for iSight report %s', event, isight_report_instance.reportId) # Add the event ID to the global list of newly created events. global new_events new_events.append(my_event['id']) # Add default tags to the event. if event_tags: for event_tag in event_tags: misp_instance.tag(my_event, event_tag) # Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes. if 'Cyber Espionage' in isight_report_instance.ThreatScape: # VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in # MISP. External would be most likely. #misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"') misp_instance.tag(my_event, 'veris:actor:motive="Espionage"') if 'Hacktivism' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"') if 'Critical Infrastructure' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'basf:technology="OT"') if 'Cyber Physical' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'basf:technology="OT"') if 'Cyber Crime' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"') # Add the iSight report ID and web link as attributes. if isight_report_instance.reportId: misp_instance.add_attribute(my_event, { 'category': 'External analysis', 'type': 'text', 'to_ids': False, 'value': isight_report_instance.reportId }, pythonify=True) if isight_report_instance.webLink: misp_instance.add_attribute(my_event, { 'category': 'External analysis', 'type': 'link', 'to_ids': False, 'value': isight_report_instance.webLink }, pythonify=True) # Put the ThreatScape into an Attribution attribute, but disable correlation. if isight_report_instance.ThreatScape: misp_instance.add_attribute(my_event, { 'category': 'Attribution', 'type': 'text', 'to_ids': False, 'value': isight_report_instance.ThreatScape, 'disable_correlation': True }, pythonify=True) # Add specific attributes from this iSight report. update_misp_event(misp_instance, my_event, isight_report_instance)
path = Path('/home/raphael/gits/covid-19-china/data') if make_feed: org = MISPOrganisation() org.name = 'CIRCL' org.uuid = "55f6ea5e-2c60-40e5-964f-47a8950d210f" else: from covid_key import url, key misp = PyMISP(url, key) for p in path.glob('*_json/current_china.json'): d = parse(p.parent.name[:-5]) event = MISPEvent() event.info = f"[{d.isoformat()}] DXY COVID-19 live report" event.date = d event.distribution = 3 event.add_tag('tlp:white') if make_feed: event.orgc = org else: e = misp.search(eventinfo=event.info, metadata=True, pythonify=True) if e: # Already added. continue event.add_attribute('attachment', p.name, data=BytesIO(p.open('rb').read())) with p.open() as f: data = json.load(f) for province in data:
org_new.name = event_import_org org_new.uuid = str(uuid.uuid4()) org_new.type = "CSIRT" org_new.sector = "Government" org.id = api.add_organisation(org_new, pythonify=True).id # Create the MISP event by loading the JSON file # This will not add the attributes, but does add the event tags and galaxies # We also add a random UUID for uniqueness event = MISPEvent() event.load_file(json_import) event.uuid = event_import_uuid if not event_import_info: event_import_info = event.info event.info = event_import_info event.date = event_import_date event.distribution = event_import_distribution event.orgc = api.get_organisation(org, pythonify=True) event = api.add_event(event, pythonify=True) # Check if the event was created if (int(event.id) > 0): # Yes, read the content and add attributes and objects # Include a sleep so for the scheduler count_attributes = 0 count_objects = 0 with open(json_import) as json_file: data = json.load(json_file) if 'Attribute' in data.get("response")[0].get("Event"): attributes = data.get("response")[0].get("Event").get("Attribute")
def create_event(title: str, date_added: datetime) -> MISPEvent: misp_event = MISPEvent() misp_event.info = title if date_added != '': misp_event.date = date_added return misp_event