mirror of https://github.com/MISP/MISP
Consistent timestamps for STIX objects
parent
2a56a00e88
commit
7f201fdf81
|
@ -134,7 +134,8 @@ def generateMainPackage(events):
|
|||
# generate a package for each event
|
||||
def generateEventPackage(event):
|
||||
package_name = namespace[1] + ':STIXPackage-' + event["Event"]["uuid"]
|
||||
stix_package = STIXPackage(id_=package_name)
|
||||
timestamp = getDateFromTimestamp(int(event["Event"]["timestamp"]))
|
||||
stix_package = STIXPackage(id_=package_name, timestamp=timestamp)
|
||||
stix_header = STIXHeader()
|
||||
stix_header.title="MISP event #" + event["Event"]["id"] + " uuid: " + event["Event"]["uuid"]
|
||||
stix_header.package_intents="Threat Report"
|
||||
|
@ -236,14 +237,14 @@ def handleNonIndicatorAttribute(incident, ttps, attribute):
|
|||
|
||||
# TTPs are only used to describe malware names currently (attribute with category Payload Type and type text/comment/other)
|
||||
def generateTTP(incident, attribute):
|
||||
ttp = TTP()
|
||||
ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
|
||||
setTLP(ttp, attribute["distribution"])
|
||||
ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
|
||||
if attribute["type"] == "vulnerability":
|
||||
vulnerability = Vulnerability()
|
||||
vulnerability.cve_id = attribute["value"]
|
||||
et = ExploitTarget()
|
||||
et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
et.add_vulnerability(vulnerability)
|
||||
ttp.exploit_targets.append(et)
|
||||
else:
|
||||
|
@ -258,7 +259,7 @@ def generateTTP(incident, attribute):
|
|||
|
||||
# Threat actors are currently only used for the category:attribution / type:(text|comment|other) attributes
|
||||
def generateThreatActor(attribute):
|
||||
ta = ThreatActor()
|
||||
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
|
||||
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
|
||||
if attribute["comment"] != "":
|
||||
|
@ -269,7 +270,7 @@ def generateThreatActor(attribute):
|
|||
|
||||
# generate the indicator and add the relevant information
|
||||
def generateIndicator(attribute):
|
||||
indicator = Indicator()
|
||||
indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
|
||||
if attribute["comment"] != "":
|
||||
indicator.description = attribute["comment"]
|
||||
|
@ -279,7 +280,7 @@ def generateIndicator(attribute):
|
|||
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
|
||||
if confidence_value is None:
|
||||
return indicator
|
||||
indicator.confidence = Confidence(value=confidence_value, description=confidence_description)
|
||||
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
|
||||
return indicator
|
||||
|
||||
# converts timestamp to the format used by STIX
|
||||
|
|
Loading…
Reference in New Issue