MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch '2.4' of github.com:MISP/MISP into 2.4

pull/3725/head
iglocska 2018-09-17 19:14:45 +02:00
parent 417f2452ae 4aa861b227
commit 84f1006ed6
2 changed files with 161 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
app/files/scripts/stix2/misp2stix2.py
View File

@ -24,9 +24,6 @@ from misp2stix2_mapping import *
from collections import defaultdict
from copy import deepcopy
non_indicator_attributes = ['text', 'comment', 'other', 'link', 'target-user', 'target-email',
'target-machine', 'target-org', 'target-location', 'target-external',
'vulnerability']
misp_hash_types = ["authentihash", "ssdeep", "imphash", "md5", "sha1", "sha224",
"sha256", "sha384", "sha512", "sha512/224","sha512/256","tlsh"]
attack_pattern_galaxies_list = ['mitre-attack-pattern', 'mitre-enterprise-attack-attack-pattern',
@ -97,56 +94,32 @@ class StixBuilder():
def misp_types(self):
describe_types_filename = os.path.join(pymisp.__path__[0], 'data/describeTypes.json')
describe_types = open(describe_types_filename, 'r')
self.categories_mapping = json.loads(describe_types.read())['result']['category_type_mappings']
categories_mapping = json.loads(describe_types.read())['result']['category_type_mappings']
for category in categories_mapping:
mispTypesMapping[category] = {'to_call': 'handle_person'}
def read_attributes(self):
self.misp_types()
if hasattr(self.misp_event, 'attributes') and self.misp_event.attributes:
for attribute in self.misp_event.attributes:
attribute_type = attribute.type
if attribute_type in non_indicator_attributes:
self.handle_non_indicator(attribute, attribute_type)
else:
if attribute_type in self.categories_mapping['Person']:
self.handle_person(attribute)
elif attribute_type in mispTypesMapping:
self.handle_usual_type(attribute)
else:
self.add_custom(attribute)
try:
getattr(self, mispTypesMapping[attribute.type]['to_call'])(attribute)
except KeyError:
self.add_custom(attribute)
if hasattr(self.misp_event, 'objects') and self.misp_event.objects:
self.load_objects_mapping()
objects_to_parse = defaultdict(dict)
self.objects_to_parse = defaultdict(dict)
misp_objects = self.misp_event.objects
self.object_references, self.processes = self.fetch_object_references(misp_objects)
for misp_object in misp_objects:
to_ids = self.fetch_ids_flag(misp_object.attributes)
name = misp_object.name
if name == "vulnerability":
self.add_object_vulnerability(misp_object, to_ids)
elif name == "course-of-action":
self.add_course_of_action(misp_object, from_object=True)
elif name in ('pe', 'pe-section'):
objects_to_parse[name][misp_object.uuid] = to_ids, misp_object
elif name in objectsMapping:
if name == 'file' and misp_object.references:
to_parse = False
for reference in misp_object.references:
if reference.relationship_type == 'included-in' and reference.Object['name'] == "pe":
objects_to_parse[name][misp_object.uuid] = to_ids, misp_object
to_parse = True
break
if to_parse:
continue
try:
if to_ids or name == "stix2-pattern":
self.add_object_indicator(misp_object)
else:
self.add_object_observable(misp_object)
except:
self.add_object_custom(misp_object, to_ids)
else:
try:
getattr(self, objectsMapping[name]['to_call'])(misp_object, to_ids)
except KeyError:
self.add_object_custom(misp_object, to_ids)
if objects_to_parse: self.resolve_objects2parse(objects_to_parse)
if self.objects_to_parse:
self.resolve_objects2parse()
if hasattr(self.misp_event, 'Galaxy') and self.misp_event.Galaxy:
for galaxy in self.misp_event.Galaxy:
self.parse_galaxy(galaxy, self.report_id)
@ -187,7 +160,7 @@ class StixBuilder():
'x509': {'observable': self.resolve_x509_observable,
'pattern': self.resolve_x509_pattern}
}
self.galaxies_mapping = {'branded-vulnerability': ['vulnerability', self.add_vulnerability]}
self.galaxies_mapping = {'branded-vulnerability': ['vulnerability', self.add_vulnerability_from_galaxy]}
self.galaxies_mapping.update(dict.fromkeys(attack_pattern_galaxies_list, ['attack-pattern', self.add_attack_pattern]))
self.galaxies_mapping.update(dict.fromkeys(course_of_action_galaxies_list, ['course-of-action', self.add_course_of_action]))
self.galaxies_mapping.update(dict.fromkeys(intrusion_set_galaxies_list, ['intrusion-set', self.add_intrusion_set]))
@ -227,23 +200,6 @@ class StixBuilder():
process['type'] = 'process'
processes[pid] = process
def handle_non_indicator(self, attribute, attribute_type):
if attribute_type == "link":
self.handle_link(attribute)
elif attribute_type in ('text', 'comment', 'other') or attribute_type not in mispTypesMapping:
self.add_custom(attribute)
else:
try:
self.handle_non_indicator_attribute(attribute, attribute_type)
except:
self.add_custom(attribute)
def handle_non_indicator_attribute(self, attribute, attribute_type):
if attribute_type == "vulnerability":
self.add_vulnerability(attribute, from_galaxy=False)
else:
self.add_observed_data(attribute)
def handle_person(self, attribute):
if attribute.category == "Person":
self.add_identity(attribute)
@ -259,6 +215,21 @@ class StixBuilder():
except:
self.add_custom(attribute)
def handle_usual_object_name(self, misp_object, to_ids):
name = misp_object.name
if name == 'file' and misp_object.references:
for reference in misp_object.references:
if reference.relationship_type == 'included-in' and reference.Object['name'] == "pe":
self.objects_to_parse[name][misp_object.uuid] = to_ids, misp_object
return
try:
if to_ids or name == "stix2-pattern":
self.add_object_indicator(misp_object)
else:
self.add_object_observable(misp_object)
except:
self.add_object_custom(misp_object, to_ids)
def handle_link(self, attribute):
url = attribute.value
source = "url"
@ -270,8 +241,11 @@ class StixBuilder():
link = {'source_name': source, 'url': url}
self.external_refs.append(link)
def resolve_objects2parse(self, objects2parse):
for uuid, misp_object in objects2parse['file'].items():
def populate_objects_to_parse(self, misp_object, to_ids):
self.objects_to_parse[misp_object.name][misp_object.uuid] = to_ids, misp_object
def resolve_objects2parse(self):
for uuid, misp_object in self.objects2parse['file'].items():
to_ids_file, file_object = misp_object
file_id = "file--{}".format(file_object.uuid)
to_ids_list = [to_ids_file]
@ -280,12 +254,12 @@ class StixBuilder():
if reference.relationship_type == "included-in" and reference.Object['name'] == "pe":
pe_uuid = reference.referenced_uuid
break
to_ids_pe, pe_object = objects2parse['pe'][pe_uuid]
to_ids_pe, pe_object = self.objects2parse['pe'][pe_uuid]
to_ids_list.append(to_ids_pe)
sections = []
for reference in pe_object.references:
if reference.Object['name'] == "pe-section":
to_ids_section, section_object = objects2parse['pe-section'][reference.referenced_uuid]
to_ids_section, section_object = self.objects2parse['pe-section'][reference.referenced_uuid]
to_ids_list.append(to_ids_section)
sections.append(section_object)
if True in to_ids_list:
@ -389,21 +363,25 @@ class StixBuilder():
attack_pattern = AttackPattern(**a_p_args)
self.append_object(attack_pattern, a_p_id)
def add_course_of_action(self, misp_object, from_object=False):
if from_object:
coa_id = 'course-of-action--{}'.format(misp_object.uuid)
coa_args = {'id': coa_id, 'type': 'course-of-action'}
for attribute in misp_object.attributes:
self.parse_galaxies(attribute.Galaxy, coa_id)
relation = attribute.object_relation
if relation == 'name':
coa_args['name'] = attribute.value
elif relation == 'description':
coa_args['description'] = attribute.value
if not 'name' in coa_args:
return
else:
coa_args, coa_id = self.generate_galaxy_args(misp_object, False, False, 'course-of-action')
def add_course_of_action(self, misp_object):
coa_args, coa_id = self.generate_galaxy_args(misp_object, False, False, 'course-of-action')
self.add_coa_stix_object(coa_args, coa_id)
def add_course_of_action_from_object(self, misp_object, _):
coa_id = 'course-of-action--{}'.format(misp_object.uuid)
coa_args = {'id': coa_id, 'type': 'course-of-action'}
for attribute in misp_object.attributes:
self.parse_galaxies(attribute.Galaxy, coa_id)
relation = attribute.object_relation
if relation == 'name':
coa_args['name'] = attribute.value
elif relation == 'description':
coa_args['description'] = attribute.value
if not 'name' in coa_args:
return
self.add_coa_stix_object(coa_args, coa_id)
def add_coa_stix_object(self, coa_args):
coa_args['created_by_ref'] = self.identity_id
course_of_action = CourseOfAction(**coa_args)
self.append_object(course_of_action, coa_id)
@ -501,31 +479,33 @@ class StixBuilder():
tool = Tool(**tool_args)
self.append_object(tool, tool_id)
def add_vulnerability(self, attribute, from_galaxy=True):
if from_galaxy:
vulnerability_id = "vulnerability--{}".format(attribute['uuid'])
cluster = attribute['GalaxyCluster'][0]
name = cluster['value']
if cluster['meta'] and cluster['meta']['aliases']:
vulnerability_data = [mispTypesMapping['vulnerability'](alias) for alias in cluster['meta']['aliases']]
else:
vulnerability_data = [mispTypesMapping['vulnerability'](name)]
labels = ['misp:type=\"{}\"'.format(attribute.get('type'))]
if cluster['tag_name']:
labels.append(cluster['tag_name'])
description = "{} | {}".format(attribute.get('description'), cluster.get('description'))
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
'name': name, 'external_references': vulnerability_data,
'created_by_ref': self.identity_id, 'labels': labels,
'description': description}
def add_vulnerability(self, attribute):
vulnerability_id = "vulnerability--{}".format(attribute.uuid)
name = attribute.value
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](name)]
labels = self.create_labels(attribute)
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
'name': name, 'external_references': vulnerability_data,
'created_by_ref': self.identity_id, 'labels': labels}
vulnerability = Vulnerability(**vulnerability_args)
self.append_object(vulnerability, vulnerability_id)
def add_vulnerability_from_galaxy(self, attribute):
vulnerability_id = "vulnerability--{}".format(attribute['uuid'])
cluster = attribute['GalaxyCluster'][0]
name = cluster['value']
if cluster['meta'] and cluster['meta']['aliases']:
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](alias) for alias in cluster['meta']['aliases']]
else:
vulnerability_id = "vulnerability--{}".format(attribute.uuid)
name = attribute.value
vulnerability_data = [mispTypesMapping['vulnerability'](name)]
labels = self.create_labels(attribute)
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
'name': name, 'external_references': vulnerability_data,
'created_by_ref': self.identity_id, 'labels': labels}
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](name)]
labels = ['misp:type=\"{}\"'.format(attribute.get('type'))]
if cluster['tag_name']:
labels.append(cluster['tag_name'])
description = "{} | {}".format(attribute.get('description'), cluster.get('description'))
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
'name': name, 'external_references': vulnerability_data,
'created_by_ref': self.identity_id, 'labels': labels,
'description': description}
vulnerability = Vulnerability(**vulnerability_args)
self.append_object(vulnerability, vulnerability_id)

145
app/files/scripts/stix2/misp2stix2_mapping.py
View File

@ -206,61 +206,62 @@ def return_vulnerability(name):
return {'source_name': 'cve', 'external_id': name}
mispTypesMapping = {
'vulnerability': return_vulnerability,
'md5': {'observable': observable_hash, 'pattern': pattern_hash},
'sha1': {'observable': observable_hash, 'pattern': pattern_hash},
'sha256': {'observable': observable_hash, 'pattern': pattern_hash},
'filename': {'observable': observable_file, 'pattern': pattern_file},
'filename|md5': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha1': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha256': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'ip-src': {'observable': observable_ip, 'pattern': pattern_ip},
'ip-dst': {'observable': observable_ip, 'pattern': pattern_ip},
'hostname': {'observable': observable_domain, 'pattern': pattern_domain},
'domain': {'observable': observable_domain, 'pattern': pattern_domain},
'domain|ip': {'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
'email-src': {'observable': observable_email_address, 'pattern': pattern_email_address},
'email-dst': {'observable': observable_email_address, 'pattern': pattern_email_address},
'email-subject': {'observable': observable_email_message, 'pattern': pattern_email_message},
'email-body': {'observable': observable_email_message, 'pattern': pattern_email_message},
'email-attachment': {'observable': observable_email_attachment, 'pattern': pattern_email_attachment},
'url': {'observable': observable_url, 'pattern': pattern_url},
'regkey': {'observable': observable_regkey, 'pattern': pattern_regkey},
'regkey|value': {'observable': observable_regkey_value, 'pattern': pattern_regkey_value},
'malware-sample': {'observable': observable_malware_sample, 'pattern': pattern_malware_sample},
'mutex': {'observable': observable_mutex, 'pattern': pattern_mutex},
'uri': {'observable': observable_url, 'pattern': pattern_url},
'authentihash': {'observable': observable_hash, 'pattern': pattern_hash},
'ssdeep': {'observable': observable_hash, 'pattern': pattern_hash},
'imphash': {'observable': observable_hash, 'pattern': pattern_hash},
'pehash': {'observable': observable_hash, 'pattern': pattern_hash},
'impfuzzy': {'observable': observable_hash, 'pattern': pattern_hash},
'sha224': {'observable': observable_hash, 'pattern': pattern_hash},
'sha384': {'observable': observable_hash, 'pattern': pattern_hash},
'sha512': {'observable': observable_hash, 'pattern': pattern_hash},
'sha512/224': {'observable': observable_hash, 'pattern': pattern_hash},
'sha512/256': {'observable': observable_hash, 'pattern': pattern_hash},
'tlsh': {'observable': observable_hash, 'pattern': pattern_hash},
'filename|authentihash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|ssdeep': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|imphash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|impfuzzy': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|pehash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha224': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha384': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha512': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha512/224': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha512/256': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|tlsh': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
'x509-fingerprint-sha1': {'observable': observable_x509, 'pattern': pattern_x509},
'port': {'observable': observable_port, 'pattern': pattern_port},
'ip-dst|port': {'observable': observable_ip_port, 'pattern': pattern_ip_port},
'ip-src|port': {'observable': observable_ip_port, 'pattern': pattern_ip_port},
'hostname|port': {'observable': observable_hostname_port, 'pattern': pattern_hostname_port},
'email-reply-to': {'observable': observable_reply_to, 'pattern': pattern_reply_to},
'attachment': {'observable': observable_attachment, 'pattern': pattern_attachment},
'mac-address': {'observable': observable_mac_address, 'pattern': pattern_mac_address},
'AS': {'observable': observable_as, 'pattern': pattern_as}
'link': {'to_call': 'handle_link'},
'vulnerability': {'to_call': 'add_vulnerability', 'vulnerability_args': return_vulnerability},
'md5': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha1': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha256': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'filename': {'to_call': 'handle_usual_type', 'observable': observable_file, 'pattern': pattern_file},
'filename|md5': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha1': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha256': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'ip-src': {'to_call': 'handle_usual_type', 'observable': observable_ip, 'pattern': pattern_ip},
'ip-dst': {'to_call': 'handle_usual_type', 'observable': observable_ip, 'pattern': pattern_ip},
'hostname': {'to_call': 'handle_usual_type', 'observable': observable_domain, 'pattern': pattern_domain},
'domain': {'to_call': 'handle_usual_type', 'observable': observable_domain, 'pattern': pattern_domain},
'domain|ip': {'to_call': 'handle_usual_type', 'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
'email-src': {'to_call': 'handle_usual_type', 'observable': observable_email_address, 'pattern': pattern_email_address},
'email-dst': {'to_call': 'handle_usual_type', 'observable': observable_email_address, 'pattern': pattern_email_address},
'email-subject': {'to_call': 'handle_usual_type', 'observable': observable_email_message, 'pattern': pattern_email_message},
'email-body': {'to_call': 'handle_usual_type', 'observable': observable_email_message, 'pattern': pattern_email_message},
'email-attachment': {'to_call': 'handle_usual_type', 'observable': observable_email_attachment, 'pattern': pattern_email_attachment},
'url': {'to_call': 'handle_usual_type', 'observable': observable_url, 'pattern': pattern_url},
'regkey': {'to_call': 'handle_usual_type', 'observable': observable_regkey, 'pattern': pattern_regkey},
'regkey|value': {'to_call': 'handle_usual_type', 'observable': observable_regkey_value, 'pattern': pattern_regkey_value},
'malware-sample': {'to_call': 'handle_usual_type', 'observable': observable_malware_sample, 'pattern': pattern_malware_sample},
'mutex': {'to_call': 'handle_usual_type', 'observable': observable_mutex, 'pattern': pattern_mutex},
'uri': {'to_call': 'handle_usual_type', 'observable': observable_url, 'pattern': pattern_url},
'authentihash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'ssdeep': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'imphash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'pehash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'impfuzzy': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha224': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha384': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha512': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha512/224': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'sha512/256': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'tlsh': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
'filename|authentihash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|ssdeep': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|imphash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|impfuzzy': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|pehash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha224': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha384': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha512': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha512/224': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|sha512/256': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'filename|tlsh': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
'x509-fingerprint-sha1': {'to_call': 'handle_usual_type', 'observable': observable_x509, 'pattern': pattern_x509},
'port': {'to_call': 'handle_usual_type', 'observable': observable_port, 'pattern': pattern_port},
'ip-dst|port': {'to_call': 'handle_usual_type', 'observable': observable_ip_port, 'pattern': pattern_ip_port},
'ip-src|port': {'to_call': 'handle_usual_type', 'observable': observable_ip_port, 'pattern': pattern_ip_port},
'hostname|port': {'to_call': 'handle_usual_type', 'observable': observable_hostname_port, 'pattern': pattern_hostname_port},
'email-reply-to': {'to_call': 'handle_usual_type', 'observable': observable_reply_to, 'pattern': pattern_reply_to},
'attachment': {'to_call': 'handle_usual_type', 'observable': observable_attachment, 'pattern': pattern_attachment},
'mac-address': {'to_call': 'handle_usual_type', 'observable': observable_mac_address, 'pattern': pattern_mac_address},
'AS': {'to_call': 'handle_usual_type', 'observable': observable_as, 'pattern': pattern_as}
#'email-dst-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
# 'pattern': 'email-addr:display_name = \'{0}\''},
#'email-src-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
@ -271,21 +272,35 @@ network_traffic_pattern = "network-traffic:{0} = '{1}' AND "
network_traffic_src_ref = "src_ref.type = '{0}' AND network-traffic:src_ref.value"
network_traffic_dst_ref = "dst_ref.type = '{0}' AND network-traffic:dst_ref.value"
objectsMapping = {'asn': {'observable': {'type': 'autonomous-system'},
objectsMapping = {'asn': {'to_call': 'handle_usual_object_name',
'observable': {'type': 'autonomous-system'},
'pattern': "autonomous-system:{0} = '{1}' AND "},
'domain-ip': {'pattern': "domain-name:{0} = '{1}' AND "},
'email': {'observable': {'0': {'type': 'email-message'}},
'course-of-action': {'to_call': 'add_course_of_action_from_object'},
'domain-ip': {'to_call': 'handle_usual_object_name',
'pattern': "domain-name:{0} = '{1}' AND "},
'email': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'email-message'}},
'pattern': "email-{0}:{1} = '{2}' AND "},
'file': {'observable': {'0': {'type': 'file', 'hashes': {}}},
'file': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'file', 'hashes': {}}},
'pattern': "file:{0} = '{1}' AND "},
'ip-port': {'pattern': network_traffic_pattern},
'network-socket': {'pattern': network_traffic_pattern},
'process': {'pattern': "process:{0} = '{1}' AND "},
'registry-key': {'observable': {'0': {'type': 'windows-registry-key'}},
'ip-port': {'to_call': 'handle_usual_object_name',
'pattern': network_traffic_pattern},
'network-socket': {'to_call': 'handle_usual_object_name',
'pattern': network_traffic_pattern},
'pe': {'to_call': 'populate_objects_to_parse'},
'pe-section': {'to_call': 'populate_objects_to_parse'},
'process': {'to_call': 'handle_usual_object_name',
'pattern': "process:{0} = '{1}' AND "},
'registry-key': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'windows-registry-key'}},
'pattern': "windows-registry-key:{0} = '{1}' AND "},
'url': {'observable': {'0': {'type': 'url'}},
'url': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'url'}},
'pattern': "url:{0} = '{1}' AND "},
'x509': {'pattern': "x509-certificate:{0} = '{1}' AND "}
'vulnerability': {'to_call': 'add_object_vulnerability'},
'x509': {'to_call': 'handle_usual_object_name',
'pattern': "x509-certificate:{0} = '{1}' AND "}
}
asnObjectMapping = {'asn': 'number', 'description': 'name', 'subnet-announced': 'value'}