mirror of https://github.com/MISP/MISP
add: [stix2 import] Importing User Account objects
- From STIX documents generated with MISP - External STIX documents support of User Account object to come very soonpull/4861/head
parent
5d1c6ce467
commit
fb05bc7ab0
|
@ -326,6 +326,16 @@ class StixParser():
|
|||
network_traffic = value
|
||||
return network_traffic, references
|
||||
|
||||
@staticmethod
|
||||
def fill_user_account_observable_attributes(observable):
|
||||
attributes = []
|
||||
for key, value in observable.items():
|
||||
if key in user_account_mapping:
|
||||
attribute = {'to_ids': False, 'value': value}
|
||||
attribute.update(user_account_mapping[key])
|
||||
attributes.append(attribute)
|
||||
return attributes
|
||||
|
||||
def handle_object_relationship(self, misp_object, uuid):
|
||||
for reference in self.relationship[uuid]:
|
||||
target = reference.target_ref.split('--')[1]
|
||||
|
@ -478,6 +488,7 @@ class StixFromMISPParser(StixParser):
|
|||
'process': {'observable': self.attributes_from_process_observable, 'pattern': self.pattern_process},
|
||||
'registry-key': {'observable': self.attributes_from_regkey_observable, 'pattern': self.pattern_regkey},
|
||||
'url': {'observable': self.attributes_from_url_observable, 'pattern': self.pattern_url},
|
||||
'user-account': {'observable': self.observable_user_account, 'pattern': self.pattern_user_account},
|
||||
'WindowsPEBinaryFile': {'observable': self.observable_pe, 'pattern': self.pattern_pe},
|
||||
'x509': {'observable': self.attributes_from_x509_observable, 'pattern': self.pattern_x509}}
|
||||
self.object_from_refs = {'course-of-action': self.parse_MISP_course_of_action, 'vulnerability': self.parse_vulnerability,
|
||||
|
@ -882,6 +893,38 @@ class StixFromMISPParser(StixParser):
|
|||
def pattern_url(self, pattern):
|
||||
return self.fill_pattern_attributes(pattern, url_mapping)
|
||||
|
||||
def observable_user_account(self, observable):
|
||||
observable = observable['0']
|
||||
attributes = self.fill_user_account_observable_attributes(observable)
|
||||
if 'extensions' in observable and 'unix-account-ext' in observable['extensions']:
|
||||
extension = observable['extensions']['unix-account-ext']
|
||||
if 'groups' in extension:
|
||||
for group in extension['groups']:
|
||||
attributes.append({'type': 'text', 'object_relation': 'group',
|
||||
'to_ids': False, 'disable_correlation': True,
|
||||
'value': group})
|
||||
attributes.extend(self.fill_user_account_observable_attributes(extension))
|
||||
return attributes
|
||||
|
||||
def pattern_user_account(self, pattern):
|
||||
attributes = []
|
||||
for p in pattern:
|
||||
p_type, p_value = p.split(' = ')
|
||||
p_value = p_value[1:-1]
|
||||
if "extensions.'unix-account-ext'" in p_type:
|
||||
relation = p_type.split('.')[-1]
|
||||
if 'groups' in relation:
|
||||
attributes.append({'type': 'text', 'object_relation': 'group',
|
||||
'disable_correlation': True, 'value': p_value})
|
||||
continue
|
||||
else:
|
||||
relation = p_type.split(':')[1]
|
||||
if relation in user_account_mapping:
|
||||
attribute = {'value': p_value}
|
||||
attribute.update(user_account_mapping[relation])
|
||||
attributes.append(attribute)
|
||||
return attributes
|
||||
|
||||
def pattern_x509(self, pattern):
|
||||
return self.fill_pattern_attributes(pattern, x509_mapping)
|
||||
|
||||
|
|
|
@ -277,6 +277,24 @@ url_mapping = {'url': url_attribute_mapping,
|
|||
'network-traffic:dst_port': url_port_attribute_mapping
|
||||
}
|
||||
|
||||
user_account_mapping = {'account_created': {'type': 'datetime', 'object_relation': 'created', 'disable_correlation': True},
|
||||
'account_expires': {'type': 'datetime', 'object_relation': 'expires', 'disable_correlation': True},
|
||||
'account_first_login': {'type': 'datetime', 'object_relation': 'first_login', 'disable_correlation': True},
|
||||
'account_last_login': {'type': 'datetime', 'object_relation': 'last_login', 'disable_correlation': True},
|
||||
'account_login': {'type': 'text', 'object_relation': 'username'},
|
||||
'account_type': {'type': 'text', 'object_relation': 'account-type'},
|
||||
'can_escalate_privs': {'type': 'boolean', 'object_relation': 'can_escalate_privs', 'disable_correlation': True},
|
||||
'credential': {'type': 'text', 'object_relation': 'password'},
|
||||
'credential_last_changed': {'type': 'datetime', 'object_relation': 'password_last_changed', 'disable_correlation': True},
|
||||
'display_name': {'type': 'text', 'object_relation': 'display-name'},
|
||||
'gid': {'type': 'text', 'object_relation': 'group-id', 'disable_correlation': True},
|
||||
'home_dir': {'type': 'text', 'object_relation': 'home_dir', 'disable_correlation': True},
|
||||
'is_disabled': {'type': 'boolean', 'object_relation': 'disabled', 'disable_correlation': True},
|
||||
'is_privileged': {'type': 'boolean', 'object_relation': 'privileged', 'disable_correlation': True},
|
||||
'is_service_account': {'type': 'boolean', 'object_relation': 'is_service_account', 'disable_correlation': True},
|
||||
'shell': {'type': 'text', 'object_relation': 'shell', 'disable_correlation': True},
|
||||
'user_id': {'type': 'text', 'object_relation': 'user-id'}}
|
||||
|
||||
x509_mapping = {'issuer': issuer_attribute_mapping,
|
||||
'x509-certificate:issuer': issuer_attribute_mapping,
|
||||
'serial_number': serial_number_attribute_mapping,
|
||||
|
|
Loading…
Reference in New Issue