def convertTEtoMISP(self, teevent): """ Convert a ThreatExchange entry to MISP entry """ # Create empty event mispevt = MISPEvent() mispevt.info = "[Facebook ThreatExchange]" mispevt.distribution = 0 mispevt.sharing_group_id = self.privacy_levels[teevent["privacy_type"]] # Check if event is to be kept if "status" in teevent.keys() and teevent["status"] in self.score.keys() and self.score[teevent["status"]] < self.badness_threshold : print("IGNORE EVENT %s due to status (%s)" % (teevent, teevent["status"])) return None # Add indicator to event if "raw_indicator" in teevent.keys(): if "type" in teevent.keys(): if teevent["type"] in self.type_map.keys(): indicator = teevent["raw_indicator"].replace("\\", "") mispevt.add_attribute(self.type_map[teevent["type"]] , indicator) # not to brutal?? else: print("WARNING: TYPE %s SHOULD BE ADDED TO MAPPING" % teevent["type"]) else: print("WARNING, event %s does not contains any indicator :(" % teevent) return None # don't create event without content! # Add a category mispevt.category = "Network activity" # Enrich description if "description" in teevent.keys(): mispevt.info = mispevt.info + " - %s" % teevent["description"] if "owner" in teevent.keys() and "name" in teevent["owner"].keys(): owner = teevent["owner"]["name"] if("email" in teevent["owner"].keys()): email = teevent["owner"]["email"].replace("\\u0040", "@") else: email = "" mispevt.info = mispevt.info + " - by %s (%s)" % (owner, email) # Add sharing indicators (tags) if "share_level" in teevent.keys(): if teevent["share_level"] in self.share_levels.keys(): mispevt.Tag.append(self.share_levels[teevent["share_level"]]) else: print("WARNING: SHARING LEVEL %s SHOULD BE ADDED TO MAPPING" % teevent["share_level"]) if self.extra_tag is not None: mispevt.Tag.append(self.extra_tag) evtid = teevent["id"] return [evtid, mispevt]
def convertTEtoMISPTEST(self, teevents=[]): """ Convert a ThreatExchange entry to MISP entry """ # Create empty event mispevt = MISPEvent() mispevt.info = "[Facebook ThreatExchange]" mispevt.distribution = 0 mispevt.category = "Network activity" share_level = "WHITE" evtids = [] for teevent in teevents: # Set event visiblity to VISIBLE except if stated otherwise in event if(self.privacy_levels[teevent["privacy_type"]] != self.privacy_levels["VISIBLE"]): mispevt.sharing_group_id = self.privacy_levels[teevent["privacy_type"]] else: mispevt.sharing_group_id = self.privacy_levels["VISIBLE"] # Check if event is to be kept if "status" in teevent.keys() and teevent["status"] in self.score.keys() and self.score[teevent["status"]] < self.badness_threshold : print("IGNORE EVENT %s due to status (%s)" % (teevent, teevent["status"])) continue # Add indicator to event if "raw_indicator" in teevent.keys(): if "type" in teevent.keys(): if teevent["type"] in self.type_map.keys(): indicator = teevent["raw_indicator"].replace("\\", "") mispevt.add_attribute(self.type_map[teevent["type"]] , indicator) # not to brutal?? else: print("WARNING: TYPE %s SHOULD BE ADDED TO MAPPING" % teevent["type"]) # Enrich description - last will be kept :-S if "description" in teevent.keys(): mispevt.info = mispevt.info + " - %s" % teevent["description"] # Ownership - last will be kept :-S if "owner" in teevent.keys() and "name" in teevent["owner"].keys(): owner = teevent["owner"]["name"] if("email" in teevent["owner"].keys()): email = teevent["owner"]["email"].replace("\\u0040", "@") else: email = "" mispevt.info = mispevt.info + " - by %s (%s)" % (owner, email) # Add sharing indicators (tags) - keep more strict if "share_level" in teevent.keys(): if teevent["share_level"] in self.share_levels.keys(): # sharing level has to be reduced if int(self.share_levels[share_level]["id"]) > int(self.share_levels[teevent["share_level"]]["id"]): share_level = teevent["share_level"] else: print("WARNING: SHARING LEVEL %s SHOULD BE ADDED TO MAPPING" % teevent["share_level"]) # Add Extra Tags if self.extra_tag is not None: mispevt.Tag.append(self.extra_tag) # Add ID to list of ID making this event evtids.append(teevent["id"]) # Set share level mispevt.Tag.append(self.share_levels[share_level]) # Return new MISP event ready for import return [evtids, mispevt]