def parse_events(self, xml, full=True): events = xml.iterfind('./Event') rest_events = [] for event in events: rest_event = Event() event_id = self.set_event_header(event, rest_event) if full: observables = self.parse_attributes(rest_event, event) rest_event.observables = observables # Append reference # check if there aren't any empty reports result = list() for event_report in rest_event.reports: if event_report.references: result.append(event_report) report = Report() report.identifier = uuid4() self.set_properties(report, False) # self.set_extended_logging(report, rest_event) # IMPORTANT logging of this should not be set, as this should onbly be visible for the owner/inserter value = u'{0}{1} Event ID {2}'.format('', self.tag, event_id) reference = self.create_reference(None, uuid4(), None, 'reference_external_identifier', value, None, False, rest_event, False) report.references.append(reference) value = u'{0}/events/view/{1}'.format(self.api_url, event_id) reference = self.create_reference(None, uuid4(), None, 'link', value, None, False, rest_event, False) report.references.append(reference) result.append(report) rest_event.reports = result setattr(rest_event, 'misp_id', event_id) rest_events.append(rest_event) return rest_events
def create_observable(self, id_, uuid, category, type_, value, data, comment, ioc, share, event): if ((category in ['external analysis', 'internal reference', 'targeting data', 'antivirus detection'] and (type_ in ['attachment', 'comment', 'link', 'text', 'url', 'text', 'malware-sample', 'filename|sha1', 'filename|md5', 'filename|sha256', 'vulnerability'])) or (category == 'internal reference' and type_ in ['text', 'comment']) or type_ == 'other' or (category == 'attribution' and type_ == 'comment') or category == 'other' or (category == 'antivirus detection' and type_ == 'link')): # make a report # Create Report it will be just a single one reference = self.create_reference(id_, uuid, category, type_, value, data, share, event) if reference: if len(event.reports) == 0: report = Report() report.identifier = uuid4() self.set_properties(report, True) self.set_extended_logging(report, event) event.reports.append(report) if comment: if event.reports[0].description: event.reports[0].description = event.reports[0].description + ' - ' + comment else: event.reports[0].description = comment event.reports[0].references.append(reference) elif category == 'payload installation' and type_ == 'vulnerability': reference = self.create_reference(id_, uuid, category, type_, value, data, share, event) if reference: reference.value = u'Vulnerablility: {0}'.format(reference.value) if len(event.reports) == 0: report = Report() report.identifier = uuid4() self.set_properties(report, True) self.set_extended_logging(report, event) event.reports.append(report) if comment: if event.reports[0].description: event.reports[0].description = event.reports[0].description + ' - ' + comment else: event.reports[0].description = comment event.reports[0].references.append(reference) elif category == 'attribution': reference = self.create_reference(id_, uuid, category, type_, value, data, share, event) if reference: reference.value = u'Attribution: {0}'.format(reference.value) if len(event.reports) == 0: report = Report() report.identifier = uuid4() self.set_properties(report, True) self.set_extended_logging(report, event) event.reports.append(report) if comment: if event.reports[0].description: event.reports[0].description = event.reports[0].description + ' - ' + comment else: event.reports[0].description = comment event.reports[0].references.append(reference) else: observable = self.make_observable(event, comment, share) # create object obj = Object() obj.identifier = uuid4() self.set_properties(obj, share) self.set_extended_logging(obj, event) observable.object = obj obj.definition = self.get_object_definition(category, type_, value, event) if obj.definition: obj.definition_id = obj.definition.identifier # create attribute(s) for object self.append_attributes(obj, observable, id_, category, type_, value, ioc, share, event, uuid) if not observable.description: observable.description = None return observable else: return None