def convert_indicator(indicator20): indicator1x = Indicator(id_=convert_id20(indicator20["id"]), timestamp=text_type(indicator20["modified"])) if "name" in indicator20: indicator1x.title = indicator20["name"] if "description" in indicator20: indicator1x.add_description(indicator20["description"]) indicator1x.indicator_types = convert_open_vocabs_to_controlled_vocabs( indicator20["labels"], INDICATOR_LABEL_MAP) indicator1x.add_valid_time_position( convert_to_valid_time( text_type(indicator20["valid_from"]), text_type(indicator20["valid_until"]) if "valid_until" in indicator20 else None)) indicator1x.add_observable( create_pattern_object( indicator20["pattern"]).toSTIX1x(id20=indicator20["id"])) if "kill_chain_phases" in indicator20: process_kill_chain_phases(indicator20["kill_chain_phases"], indicator1x) if "object_marking_refs" in indicator20: for m_id in indicator20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(indicator1x, ms, descendants=True) if "granular_markings" in indicator20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, indicator20["id"]) record_id_object_mapping(indicator20["id"], indicator1x) return indicator1x
def resolveObjects(incident, ttps, objects, eventTags, org): for obj in objects: tmp_incident = Incident() resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org) indicator = Indicator( timestamp=getDateFromTimestamp(int(obj["timestamp"]))) indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"] setProd(indicator, org) if obj["comment"] != "": indicator.description = obj["comment"] tlpTags = eventTags for attr in obj["Attribute"]: tlpTags = mergeTags(tlpTags, attr) setTLP(indicator, obj["distribution"], tlpTags, True) indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")" indicator.description = indicator.title indicator.add_indicator_type("Malware Artifacts") indicator.add_valid_time_position(ValidTime()) indicator.observable_composition_operator = "AND" for rindicator in tmp_incident.related_indicators: if rindicator.item.observable: indicator.add_observable(rindicator.item.observable) relatedIndicator = RelatedIndicator(indicator, relationship=obj["meta-category"]) incident.related_indicators.append(relatedIndicator)
def create_indicator(self, ce1sus_indicator, event_permissions, user): indicator = Indicator() indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid) indicator.title = ce1sus_indicator.title indicator.description = ce1sus_indicator.description indicator.short_description = ce1sus_indicator.short_description if ce1sus_indicator.confidence: indicator.confidence = ce1sus_indicator.confidence.title() else: indicator.confidence = 'Low' # TODO: handling # TODO: markings for type_ in ce1sus_indicator.types: indicator.add_indicator_type(type_.name) if ce1sus_indicator.operator: indicator.observable_composition_operator = ce1sus_indicator.operator # Todo Add confidence # indicator_attachment.confidence = "Low" creator = self.create_stix_identity(ce1sus_indicator) time = self.cybox_mapper.get_time( produced_time=ce1sus_indicator.created_at) info_source = InformationSource(identity=creator, time=time) indicator.producer = info_source observables = ce1sus_indicator.get_observables_for_permissions( event_permissions, user) for obs in observables: cybox_obs = self.create_observable(obs, event_permissions, user) indicator.add_observable(cybox_obs) valid_time = ValidTime(start_time=ce1sus_indicator.created_at, end_time=ce1sus_indicator.created_at) indicator.add_valid_time_position(valid_time) return indicator
def test_datetime_format(self): indicator = Indicator(title="title") valid_time = ValidTime( start_time=datetime.strptime("2010-03-05", "%Y-%m-%d")) indicator.add_valid_time_position(valid_time) ixml = indicator.to_xml() self.assertTrue("2010-03-05T" in text_type(ixml))
def test_datetime_format(self): indicator = Indicator(title="title") valid_time = ValidTime(start_time=datetime.strptime("2010-03-05", "%Y-%m-%d")) indicator.add_valid_time_position(valid_time) ixml = indicator.to_xml() self.assertTrue("2010-03-05T" in text_type(ixml))
def buildIndicator(input_dict): indicator = Indicator() indicator.description = input_dict["description"] if input_dict["confidence"]: indicator.confidence = input_dict["confidence"] if input_dict["impact"]: indicator.likely_impact = input_dict["impact"] if input_dict["producer"]: indicator.producer = InformationSource() indicator.producer.identity = Identity(input_dict["producer"]) indicator.title = input_dict["title"] indicator.add_valid_time_position(valid_time.ValidTime(input_dict["starttime"], input_dict["endtime"])) if input_dict["type"]: indicator.add_indicator_type(input_dict["type"]) return indicator
def resolve_objects(self, incident, tags): for misp_object in self.misp_event.objects: tlp_tags = None tmp_incident = Incident() tlp_tags = deepcopy(tags) self.resolve_attributes(tmp_incident, misp_object.attributes, tags) indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp))) indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid) self.set_prod(indicator, self.orgc_name) for attribute in misp_object.attributes: tlp_tags = self.merge_tags(tlp_tags, attribute) self.set_tlp(indicator, misp_object.distribution, tlp_tags) title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id) indicator.title = title indicator.description = misp_object.comment if misp_object.comment else title indicator.add_indicator_type("Malware Artifacts") indicator.add_valid_time_position(ValidTime()) indicator.observable_composition_operator = "AND" for rindicator in tmp_incident.related_indicators: if rindicator.item.observable: indicator.add_observable(rindicator.item.observable) relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category']) incident.related_indicators.append(relatedIndicator)