add: [stix2 import] Importing User Account objects

- From STIX documents generated with MISP
- External STIX documents support of User Account
  object to come very soon

app/files/scripts/stix2/stix2misp.py

@@ -326,6 +326,16 @@ class StixParser():
                 network_traffic = value
         return network_traffic, references
 
+    @staticmethod
+    def fill_user_account_observable_attributes(observable):
+        attributes = []
+        for key, value in observable.items():
+            if key in user_account_mapping:
+                attribute = {'to_ids': False, 'value': value}
+                attribute.update(user_account_mapping[key])
+                attributes.append(attribute)
+        return attributes
+
     def handle_object_relationship(self, misp_object, uuid):
         for reference in self.relationship[uuid]:
             target = reference.target_ref.split('--')[1]
@@ -478,6 +488,7 @@ class StixFromMISPParser(StixParser):
                                 'process': {'observable': self.attributes_from_process_observable, 'pattern': self.pattern_process},
                                 'registry-key': {'observable': self.attributes_from_regkey_observable, 'pattern': self.pattern_regkey},
                                 'url': {'observable': self.attributes_from_url_observable, 'pattern': self.pattern_url},
+                                'user-account': {'observable': self.observable_user_account, 'pattern': self.pattern_user_account},
                                 'WindowsPEBinaryFile': {'observable': self.observable_pe, 'pattern': self.pattern_pe},
                                 'x509': {'observable': self.attributes_from_x509_observable, 'pattern': self.pattern_x509}}
         self.object_from_refs = {'course-of-action': self.parse_MISP_course_of_action, 'vulnerability': self.parse_vulnerability,
@@ -882,6 +893,38 @@ class StixFromMISPParser(StixParser):
     def pattern_url(self, pattern):
         return self.fill_pattern_attributes(pattern, url_mapping)
 
+    def observable_user_account(self, observable):
+        observable = observable['0']
+        attributes = self.fill_user_account_observable_attributes(observable)
+        if 'extensions' in observable and 'unix-account-ext' in observable['extensions']:
+            extension = observable['extensions']['unix-account-ext']
+            if 'groups' in extension:
+                for group in extension['groups']:
+                    attributes.append({'type': 'text', 'object_relation': 'group',
+                                       'to_ids': False, 'disable_correlation': True,
+                                       'value': group})
+            attributes.extend(self.fill_user_account_observable_attributes(extension))
+        return attributes
+
+    def pattern_user_account(self, pattern):
+        attributes = []
+        for p in pattern:
+            p_type, p_value = p.split(' = ')
+            p_value = p_value[1:-1]
+            if "extensions.'unix-account-ext'" in p_type:
+                relation = p_type.split('.')[-1]
+                if 'groups' in relation:
+                    attributes.append({'type': 'text', 'object_relation': 'group',
+                                       'disable_correlation': True, 'value': p_value})
+                    continue
+            else:
+                relation = p_type.split(':')[1]
+            if relation in user_account_mapping:
+                attribute = {'value': p_value}
+                attribute.update(user_account_mapping[relation])
+                attributes.append(attribute)
+        return attributes
+
     def pattern_x509(self, pattern):
         return self.fill_pattern_attributes(pattern, x509_mapping)
 

app/files/scripts/stix2/stix2misp_mapping.py

@@ -277,6 +277,24 @@ url_mapping = {'url': url_attribute_mapping,
                'network-traffic:dst_port': url_port_attribute_mapping
                }
 
+user_account_mapping = {'account_created': {'type': 'datetime', 'object_relation': 'created', 'disable_correlation': True},
+                        'account_expires': {'type': 'datetime', 'object_relation': 'expires', 'disable_correlation': True},
+                        'account_first_login': {'type': 'datetime', 'object_relation': 'first_login', 'disable_correlation': True},
+                        'account_last_login': {'type': 'datetime', 'object_relation': 'last_login', 'disable_correlation': True},
+                        'account_login': {'type': 'text', 'object_relation': 'username'},
+                        'account_type': {'type': 'text', 'object_relation': 'account-type'},
+                        'can_escalate_privs': {'type': 'boolean', 'object_relation': 'can_escalate_privs', 'disable_correlation': True},
+                        'credential': {'type': 'text', 'object_relation': 'password'},
+                        'credential_last_changed': {'type': 'datetime', 'object_relation': 'password_last_changed', 'disable_correlation': True},
+                        'display_name': {'type': 'text', 'object_relation': 'display-name'},
+                        'gid': {'type': 'text', 'object_relation': 'group-id', 'disable_correlation': True},
+                        'home_dir': {'type': 'text', 'object_relation': 'home_dir', 'disable_correlation': True},
+                        'is_disabled': {'type': 'boolean', 'object_relation': 'disabled', 'disable_correlation': True},
+                        'is_privileged': {'type': 'boolean', 'object_relation': 'privileged', 'disable_correlation': True},
+                        'is_service_account': {'type': 'boolean', 'object_relation': 'is_service_account', 'disable_correlation': True},
+                        'shell': {'type': 'text', 'object_relation': 'shell', 'disable_correlation': True},
+                        'user_id': {'type': 'text', 'object_relation': 'user-id'}}
+
 x509_mapping = {'issuer': issuer_attribute_mapping,
                 'x509-certificate:issuer': issuer_attribute_mapping,
                 'serial_number': serial_number_attribute_mapping,