def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags):
dt = datetime.now()
event = MISPEvent()
event.info = dt.strftime("%Y%m%d ") + 'TIE'
event.publish_timestamp = dt.strftime("%s")
event.timestamp = dt.strftime("%s")
event['timestamp'] = dt.strftime("%s")
event.analysis = 2
event.published = conf.event_published
orgc = MISPOrganisation()
orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid}))
event.orgc = orgc
event.threat_level_id = conf.event_base_thread_level
event.date = dt
event['uuid'] = str(uuid.uuid1())
if len(tags) > 0:
event['Tag'] = tags
attr_hashes = []
for key, attr in deduplicated_observations.items():
misp_attr = MISPAttribute()
misp_attr.timestamp = dt.strftime("%s")
misp_attr['timestamp'] = dt.strftime("%s")
misp_attr.type = get_Attribute_Type(attr)
misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type)
if 'c2-server' in attr['categories'] and attr_tags.c2tags:
misp_attr['Tag'] = attr_tags.c2tags
if 'malware' in attr['categories'] and attr_tags.malwaretags:
misp_attr['Tag'] = attr_tags.malwaretags
if 'espionage' in attr['categories'] and attr_tags.espionagetags:
misp_attr['Tag'] = attr_tags.espionagetags
if 'bot' in attr['categories'] and attr_tags.bottags:
misp_attr['Tag'] = attr_tags.bottags
if 'whitelist' in attr['categories'] and attr_tags.whitelisttags:
misp_attr['Tag'] = attr_tags.whitelisttags
if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags:
misp_attr['Tag'] = attr_tags.cybercrimetags
if 'phishing' in attr['categories'] and attr_tags.phishingtags:
misp_attr['Tag'] = attr_tags.phishingtags
misp_attr.category = get_Attribute_Category(attr)
if conf.attr_to_ids and attr[
'min_confidence'] >= conf.attr_to_ids_threshold:
misp_attr.to_ids = True
else:
misp_attr.to_ids = False
misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \
' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \
' severity: ' + str(attr['max_severity']) + \
' confidence: ' + str(attr['max_confidence'])
misp_attr.edited = False
event.add_attribute(**(misp_attr.to_dict()))
attr_hashes.append([
hashlib.md5(attr['value'].encode("utf-8")).hexdigest(),
event['uuid']
])
event.edited = False
return event, attr_hashes
def ip_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.org = "RST Cloud"
attribute.type = type
if value['ip']:
if value['ip']['v4']:
attribute.value = value['ip']['v4']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv4']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv4']))
else:
if value['ip']['v6']:
attribute.value = value['ip']['v6']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv6']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv6']))
attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num']))
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['asn']['cloud']:
attribute.add_tag("rstcloud:cloudprovider=" +
str(value['asn']['cloud']))
if value['asn']['domains']:
attribute.add_tag("rstcloud:number_of_hosted_domains=" +
str(value['asn']['domains']))
attribute.add_tag("rstcloud:org=" + str(value['asn']['org']))
attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp']))
attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city']))
attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region']))
attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def domain_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.type = type
attribute.value = value['domain']
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['resolved'] and value['resolved']['whois']:
if value['resolved']['whois']['age'] > 0:
attribute.add_tag("rstcloud:whois:created=" +
str(value['resolved']['whois']['created']))
attribute.add_tag("rstcloud:whois:updated=" +
str(value['resolved']['whois']['updated']))
attribute.add_tag("rstcloud:whois:expires=" +
str(value['resolved']['whois']['expires']))
attribute.add_tag("rstcloud:whois:age=" +
str(value['resolved']['whois']['age']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrar'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrar=" +
str(value['resolved']['whois']['registrar']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrant'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrant=" +
str(value['resolved']['whois']['registrant']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
