def get_vast_type_and_value(pattern_str: str) -> Union[Tuple[str, str], None]:
if not is_point_equality_ioc(pattern_str):
return None
object_path, ioc_value = split_object_path_and_value(pattern_str)
ioc_value = vast_escape_str(ioc_value)
vast_type = vast_ioc_type_map.get(object_path, None)
if not vast_type:
return None
return vast_type, ioc_value
def map_to_cif(indicator: Indicator, confidence: int, tags: List[str],
tlp: str, group: str, logger) -> Union[CIFIndicator, None]:
"""
Maps a STIX-2 Indicator to a CIFv3 compatible indicator format.
@param indicator The STIX-2 Indicator to map
@param confidence The confidence to use when building the CIF indicator
@param tags The tags to use when building the CIF indicator
@param tlp The tlp to use when building the CIF indicator
@param group The group to use when building the CIF indicator
@return the mapped intel item or None
"""
if not indicator or type(indicator) is not Indicator:
logger.debug(f"Expected STIX-2 indicator, discarding {indicator}")
return None
if (ThreatBusSTIX2Constants.X_THREATBUS_UPDATE.value
in indicator.object_properties()):
logger.debug(
f"CIFv3 only supports adding indicators, not deleting / editing. Discardig {indicator}"
)
return None
if not is_point_equality_ioc(indicator.pattern):
logger.debug(
f"CIFv3 only supports point indicators, discardig {indicator}")
return None
object_path, ioc_value = split_object_path_and_value(indicator.pattern)
if object_path not in cif_supported_types:
logger.debug(
f"Discardig indicator with unsupported object-path {indicator}")
return None
# convert lasttime
lasttime = indicator.created.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
ioc_dict = {
"indicator": ioc_value,
"confidence": confidence,
"tags": tags,
"tlp": tlp,
"group": group,
"lasttime": lasttime,
}
try:
return CIFIndicator(**ioc_dict)
except InvalidIndicator as e:
logger.error(f"Invalid CIF indicator {e}")
except Exception as e:
logger.error(f"CIF indicator error: {e}")
def map_indicator_to_broker_event(indicator: Indicator, module_namespace: str,
logger) -> Union[broker.zeek.Event, None]:
"""
Maps STIX-2 Indicators to Broker events using the Zeek Intel format
@see https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Type
@param indicator The STIX-2 Indicator to convert
@param module_namespace A Zeek namespace to use for sending the event
@return The mapped broker event or None
"""
if type(indicator) is not Indicator:
logger.debug(
f"Discarding message, expected STIX-2 Indicator: {indicator}")
return None
if not is_point_equality_ioc(indicator.pattern):
logger.debug(
f"Zeek only supports point-IoCs. Cannot map compound pattern to a Zeek Intel item: {indicator.pattern}"
)
return None
object_path, ioc_value = split_object_path_and_value(indicator.pattern)
# get matching Zeek intel type
zeek_type = zeek_intel_type_map.get(object_path, None)
if not zeek_type:
logger.debug(
f"No matching Zeek type found for STIX-2 indicator type '{object_path}'"
)
return None
if zeek_type == "URL":
# remove leading protocol, if any
parsed = urlparse(ioc_value)
scheme = f"{parsed.scheme}://"
ioc_value = parsed.geturl().replace(scheme, "", 1)
elif zeek_type == "ADDR" and re.match(".+/.+", ioc_value):
# elevate to subnet if possible
zeek_type = "SUBNET"
operation = "ADD" ## Zeek operation to add a new Intel item
if (ThreatBusSTIX2Constants.X_THREATBUS_UPDATE.value
in indicator.object_properties()
and indicator.x_threatbus_update == Operation.REMOVE.value):
operation = "REMOVE"
return broker.zeek.Event(
f"{module_namespace}::intel",
(indicator.created, str(
indicator.id), zeek_type, ioc_value, operation),
)