From b290713634241bfcc65d3ca8bf07c262ddc309aa Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Tue, 4 Sep 2018 11:18:41 +0200
Subject: [PATCH] add: [stix2 import] Parsing 'valid_until' in indicators as
 expiration date in Sightings

---
 app/files/scripts/stix2/stix2misp.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/files/scripts/stix2/stix2misp.py b/app/files/scripts/stix2/stix2misp.py
index 5631b2f59..922d0decc 100644
--- a/app/files/scripts/stix2/stix2misp.py
+++ b/app/files/scripts/stix2/stix2misp.py
@@ -250,6 +250,10 @@ class StixParser():
         else:
             if stix_type == 'indicator':
                 o_date = o.get('valid_from')
+                if hasattr(o, 'valid_until'):
+                    org_uuid = o['created_by_ref'].split('--')[1]
+                    attribute['Sighting'] = {'type': '2', 'date_sighting': str(self.getTimestampfromDate(o['valid_until'])),
+                                             'Organisation': {'uuid': org_uuid, 'name': self.event['identity'][org_uuid]['name']}}
                 pattern = o.get('pattern').replace('\\\\', '\\')
                 value = self.parse_pattern_with_data(pattern) if attribute_type in ('malware-sample', 'attachment') else self.parse_pattern(pattern)
                 attribute['to_ids'] = True