def create_misp_event(misp_instance, isight_report_instance):
# No MISP event for this iSight report ID exists yet.
# Alas, create a new MISP event.
# Convert the publication date of the iSight report into a datetime object.
if isight_report_instance.publishDate:
date = datetime.datetime.fromtimestamp(
isight_report_instance.publishDate)
else:
# If iSight doesn't provide a date, use today's date.
date = datetime.datetime.now(datetime.timezone.utc)
# Create a MISP event from the FireEye iSight report with the following parameters.
print('****create new event*****')
event = MISPEvent()
event.distribution = 1 # This community only
if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium':
event.threat_level_id = 2 # Medium
elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low':
event.threat_level_id = 3 # Low
else:
event.threat_level_id = 4 # Unknown
event.analysis = 2 # Completed
event.info = "iSIGHT: " + isight_report_instance.title
event.date = date
# Push the event to the MISP server.
my_event = misp_instance.add_event(event, pythonify=True)
print("#######Push event to MISP server####", my_event)
PySilo_settings.logger.debug('Created MISP event %s for iSight report %s',
event, isight_report_instance.reportId)
# Add default tags to the event.
misp_instance.tag(my_event, 'Source:SILOBREAKER')
#misp_instance.tag(my_event, 'basf:source="iSight"')
misp_instance.tag(my_event, 'CTI feed: SILOBREAKER')
misp_instance.tag(my_event, 'tlp:amber')
misp_instance.tag(my_event, 'report id', isight_report_instance.Id)
# Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes.
#if 'Cyber Espionage' in isight_report_instance.ThreatScape:
# VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in
# MISP. External would be most likely.
#misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"')
#misp_instance.tag(my_event, 'veris:actor:motive="Espionage"')
#if 'Hacktivism' in isight_report_instance.ThreatScape:
#misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"')
#if 'Critical Infrastructure' in isight_report_instance.ThreatScape:
# misp_instance.tag(my_event, 'basf:technology="OT"')
#if 'Cyber Physical' in isight_report_instance.ThreatScape:
#misp_instance.tag(my_event, 'basf:technology="OT"')
#if 'Cyber Crime' in isight_report_instance.ThreatScape:
#misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"')
update_misp_event(misp_instance, my_event, isight_report_instance)
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags):
dt = datetime.now()
event = MISPEvent()
event.info = dt.strftime("%Y%m%d ") + 'TIE'
event.publish_timestamp = dt.strftime("%s")
event.timestamp = dt.strftime("%s")
event['timestamp'] = dt.strftime("%s")
event.analysis = 2
event.published = conf.event_published
orgc = MISPOrganisation()
orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid}))
event.orgc = orgc
event.threat_level_id = conf.event_base_thread_level
event.date = dt
event['uuid'] = str(uuid.uuid1())
if len(tags) > 0:
event['Tag'] = tags
attr_hashes = []
for key, attr in deduplicated_observations.items():
misp_attr = MISPAttribute()
misp_attr.timestamp = dt.strftime("%s")
misp_attr['timestamp'] = dt.strftime("%s")
misp_attr.type = get_Attribute_Type(attr)
misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type)
if 'c2-server' in attr['categories'] and attr_tags.c2tags:
misp_attr['Tag'] = attr_tags.c2tags
if 'malware' in attr['categories'] and attr_tags.malwaretags:
misp_attr['Tag'] = attr_tags.malwaretags
if 'espionage' in attr['categories'] and attr_tags.espionagetags:
misp_attr['Tag'] = attr_tags.espionagetags
if 'bot' in attr['categories'] and attr_tags.bottags:
misp_attr['Tag'] = attr_tags.bottags
if 'whitelist' in attr['categories'] and attr_tags.whitelisttags:
misp_attr['Tag'] = attr_tags.whitelisttags
if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags:
misp_attr['Tag'] = attr_tags.cybercrimetags
if 'phishing' in attr['categories'] and attr_tags.phishingtags:
misp_attr['Tag'] = attr_tags.phishingtags
misp_attr.category = get_Attribute_Category(attr)
if conf.attr_to_ids and attr[
'min_confidence'] >= conf.attr_to_ids_threshold:
misp_attr.to_ids = True
else:
misp_attr.to_ids = False
misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \
' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \
' severity: ' + str(attr['max_severity']) + \
' confidence: ' + str(attr['max_confidence'])
misp_attr.edited = False
event.add_attribute(**(misp_attr.to_dict()))
attr_hashes.append([
hashlib.md5(attr['value'].encode("utf-8")).hexdigest(),
event['uuid']
])
event.edited = False
return event, attr_hashes
def test_first_last_seen(self):
me = MISPEvent()
me.info = 'Test First and Last Seen'
me.date = '2020.01.12'
self.assertEqual(me.date.day, 12)
me.add_attribute('ip-dst', '8.8.8.8', first_seen='06-21-1998', last_seen=1580213607.469571)
self.assertEqual(me.attributes[0].first_seen.year, 1998)
self.assertEqual(me.attributes[0].last_seen.year, 2020)
now = datetime.now().astimezone()
me.attributes[0].last_seen = now
today = date.today()
me.attributes[0].first_seen = today
self.assertEqual(me.attributes[0].first_seen.year, today.year)
self.assertEqual(me.attributes[0].last_seen, now)
def createEvent(eventName):
mt = MaltegoTransform()
mt.addUIMessage("[Info] Creating event with the name %s" % eventName)
mispevent = MISPEvent()
mispevent.analysis = MISP_ANALYSIS
mispevent.date = datetime.now()
mispevent.distribution = MISP_DISTRIBUTION
mispevent.info = eventName
mispevent.threat_level_id = MISP_THREAT
mispevent.published = MISP_EVENT_PUBLISH
event = misp.add_event(mispevent)
eid = event['Event']['id']
einfo = event['Event']['info']
eorgc = event['Event']['orgc_id']
me = MaltegoEntity('maltego.MISPEvent', eid)
me.addAdditionalFields('EventLink', 'EventLink', False,
BASE_URL + '/events/view/' + eid)
me.addAdditionalFields('Org', 'Org', False, eorgc)
me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo)
mt.addEntityToMessage(me)
returnSuccess("event", eid, None, mt)
def create_misp_event(misp_instance, isight_report_instance, event_tags):
# No MISP event for this iSight report ID exists yet.
# Alas, create a new MISP event.
# Convert the publication date of the iSight report into a datetime object.
if isight_report_instance.publishDate:
date = datetime.datetime.fromtimestamp(
isight_report_instance.publishDate)
else:
# If iSight doesn't provide a date, use today's date.
date = datetime.datetime.now(datetime.timezone.utc)
# Create a MISP event from the FireEye iSight report with the following parameters.
event = MISPEvent()
event.distribution = 1 # This community only
if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium':
event.threat_level_id = 2 # Medium
elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low':
event.threat_level_id = 3 # Low
else:
event.threat_level_id = 4 # Unknown
event.analysis = 2 # Completed
event.info = "iSIGHT: " + isight_report_instance.title
event.date = date
# Push the event to the MISP server.
my_event = misp_instance.add_event(event, pythonify=True)
PySight_settings.logger.debug('Created MISP event %s for iSight report %s',
event, isight_report_instance.reportId)
# Add the event ID to the global list of newly created events.
global new_events
new_events.append(my_event['id'])
# Add default tags to the event.
if event_tags:
for event_tag in event_tags:
misp_instance.tag(my_event, event_tag)
# Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes.
if 'Cyber Espionage' in isight_report_instance.ThreatScape:
# VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in
# MISP. External would be most likely.
#misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"')
misp_instance.tag(my_event, 'veris:actor:motive="Espionage"')
if 'Hacktivism' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"')
if 'Critical Infrastructure' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event, 'basf:technology="OT"')
if 'Cyber Physical' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event, 'basf:technology="OT"')
if 'Cyber Crime' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event,
'veris:actor:external:variety="Organized crime"')
# Add the iSight report ID and web link as attributes.
if isight_report_instance.reportId:
misp_instance.add_attribute(my_event, {
'category': 'External analysis',
'type': 'text',
'to_ids': False,
'value': isight_report_instance.reportId
},
pythonify=True)
if isight_report_instance.webLink:
misp_instance.add_attribute(my_event, {
'category': 'External analysis',
'type': 'link',
'to_ids': False,
'value': isight_report_instance.webLink
},
pythonify=True)
# Put the ThreatScape into an Attribution attribute, but disable correlation.
if isight_report_instance.ThreatScape:
misp_instance.add_attribute(my_event, {
'category': 'Attribution',
'type': 'text',
'to_ids': False,
'value': isight_report_instance.ThreatScape,
'disable_correlation': True
},
pythonify=True)
# Add specific attributes from this iSight report.
update_misp_event(misp_instance, my_event, isight_report_instance)
path = Path('/home/raphael/gits/covid-19-china/data')
if make_feed:
org = MISPOrganisation()
org.name = 'CIRCL'
org.uuid = "55f6ea5e-2c60-40e5-964f-47a8950d210f"
else:
from covid_key import url, key
misp = PyMISP(url, key)
for p in path.glob('*_json/current_china.json'):
d = parse(p.parent.name[:-5])
event = MISPEvent()
event.info = f"[{d.isoformat()}] DXY COVID-19 live report"
event.date = d
event.distribution = 3
event.add_tag('tlp:white')
if make_feed:
event.orgc = org
else:
e = misp.search(eventinfo=event.info, metadata=True, pythonify=True)
if e:
# Already added.
continue
event.add_attribute('attachment',
p.name,
data=BytesIO(p.open('rb').read()))
with p.open() as f:
data = json.load(f)
for province in data:
org_new.name = event_import_org
org_new.uuid = str(uuid.uuid4())
org_new.type = "CSIRT"
org_new.sector = "Government"
org.id = api.add_organisation(org_new, pythonify=True).id
# Create the MISP event by loading the JSON file
# This will not add the attributes, but does add the event tags and galaxies
# We also add a random UUID for uniqueness
event = MISPEvent()
event.load_file(json_import)
event.uuid = event_import_uuid
if not event_import_info:
event_import_info = event.info
event.info = event_import_info
event.date = event_import_date
event.distribution = event_import_distribution
event.orgc = api.get_organisation(org, pythonify=True)
event = api.add_event(event, pythonify=True)
# Check if the event was created
if (int(event.id) > 0):
# Yes, read the content and add attributes and objects
# Include a sleep so for the scheduler
count_attributes = 0
count_objects = 0
with open(json_import) as json_file:
data = json.load(json_file)
if 'Attribute' in data.get("response")[0].get("Event"):
attributes = data.get("response")[0].get("Event").get("Attribute")
def create_event(title: str, date_added: datetime) -> MISPEvent:
misp_event = MISPEvent()
misp_event.info = title
if date_added != '':
misp_event.date = date_added
return misp_event
