def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags):
dt = datetime.now()
event = MISPEvent()
event.info = dt.strftime("%Y%m%d ") + 'TIE'
event.publish_timestamp = dt.strftime("%s")
event.timestamp = dt.strftime("%s")
event['timestamp'] = dt.strftime("%s")
event.analysis = 2
event.published = conf.event_published
orgc = MISPOrganisation()
orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid}))
event.orgc = orgc
event.threat_level_id = conf.event_base_thread_level
event.date = dt
event['uuid'] = str(uuid.uuid1())
if len(tags) > 0:
event['Tag'] = tags
attr_hashes = []
for key, attr in deduplicated_observations.items():
misp_attr = MISPAttribute()
misp_attr.timestamp = dt.strftime("%s")
misp_attr['timestamp'] = dt.strftime("%s")
misp_attr.type = get_Attribute_Type(attr)
misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type)
if 'c2-server' in attr['categories'] and attr_tags.c2tags:
misp_attr['Tag'] = attr_tags.c2tags
if 'malware' in attr['categories'] and attr_tags.malwaretags:
misp_attr['Tag'] = attr_tags.malwaretags
if 'espionage' in attr['categories'] and attr_tags.espionagetags:
misp_attr['Tag'] = attr_tags.espionagetags
if 'bot' in attr['categories'] and attr_tags.bottags:
misp_attr['Tag'] = attr_tags.bottags
if 'whitelist' in attr['categories'] and attr_tags.whitelisttags:
misp_attr['Tag'] = attr_tags.whitelisttags
if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags:
misp_attr['Tag'] = attr_tags.cybercrimetags
if 'phishing' in attr['categories'] and attr_tags.phishingtags:
misp_attr['Tag'] = attr_tags.phishingtags
misp_attr.category = get_Attribute_Category(attr)
if conf.attr_to_ids and attr[
'min_confidence'] >= conf.attr_to_ids_threshold:
misp_attr.to_ids = True
else:
misp_attr.to_ids = False
misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \
' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \
' severity: ' + str(attr['max_severity']) + \
' confidence: ' + str(attr['max_confidence'])
misp_attr.edited = False
event.add_attribute(**(misp_attr.to_dict()))
attr_hashes.append([
hashlib.md5(attr['value'].encode("utf-8")).hexdigest(),
event['uuid']
])
event.edited = False
return event, attr_hashes
def test_generate_MISP_event(self):
conf = Config.parse("settings/config.yml")
test_obs = {
"3ad54db13a7b6129902b0ee0acf3e2d1": {
"data_type": "IPv4",
"first_seen": "2019-08-21 08:38:29+02:00",
"last_seen": "2019-08-21 13:38:28+02:00",
"created_at": "2019-08-21 08:51:20.242089+02:00",
"updated_at": "2019-08-21 13:51:10.270419+02:00",
"max_confidence": 40,
"min_confidence": 40,
"max_severity": 1,
"min_severity": 1,
"n_occurrences": 1,
"sources": [{
"pseudonym": "testpseudo1",
"name": "testname1"
}],
"value": "123.45.67.89/32",
"categories": [],
"actors": [],
"families": []
},
"a3475b4484bed2a863720110e8099208": {
"data_type": "ExactHash",
"first_seen": "2019-08-21 13:38:17+02:00",
"last_seen": "2019-08-21 13:38:26+02:00",
"created_at": "2019-08-21 13:40:02.575150+02:00",
"updated_at": "2019-08-21 13:40:02.575150+02:00",
"max_confidence": 90,
"min_confidence": 90,
"max_severity": 1,
"min_severity": 1,
"n_occurrences": 1,
"sources": [{
"pseudonym": "testpseudo2",
"name": "testname2"
}],
"value": "sha1:930A0029225AA4C28B8EF095B679285EAAE27078",
"categories": [],
"actors": [],
"families": ["testfamily"]
}
}
event, attr_hashes = MISPHelper.generate_MISP_Event(test_obs, conf, [])
dt = datetime.now()
assert isinstance(event, MISPEvent)
assert event.info == dt.strftime("%Y%m%d ") + 'TIE'
assert event.publish_timestamp == dt.strftime("%s")
assert event.timestamp == dt.strftime("%s")
assert event['timestamp'] == dt.strftime("%s")
assert event.analysis == 2
assert event.published
orgc = MISPOrganisation()
orgc.from_json(
json.dumps({
'name': conf.org_name,
'uuid': conf.org_uuid
}))
assert event.orgc == orgc
assert event.threat_level_id == conf.event_base_thread_level
assert len(event['Attribute']) == 2