MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

add: [stix2 export] Parsing expiration date from sightings as 'valid_until' in indicators

pull/3609/head
chrisr3d 2018-09-04 09:55:47 +02:00
parent 141c7d451f
commit 9c320179e9
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/files/scripts/stix2/misp2stix2.py
View File

@ -455,6 +455,11 @@ class StixBuilder():
pattern = mispTypesMapping[attribute_type]['pattern'](attribute_type, attribute_value, b64encode(attribute.data.getbuffer()).decode()[1:-1]) if ('data' in attribute and attribute.data) else self.define_pattern(attribute_type, attribute_value)
indicator_args = {'id': indicator_id, 'type': 'indicator', 'labels': labels, 'kill_chain_phases': killchain,
'valid_from': self.misp_event.date, 'created_by_ref': self.identity_id, 'pattern': pattern}
if hasattr(attribute, 'Sighting'):
for sighting in attribute.Sighting:
if sighting['Organisation']['name'] == self.misp_event.Orgc.name and sighting['type'] == "2":
indicator_args['valid_until'] = datetime.datetime.fromtimestamp(int(sighting['date_sighting'])).isoformat()
break
if hasattr(attribute, 'comment') and attribute.comment:
indicator_args['description'] = attribute.comment
indicator = Indicator(**indicator_args)