chg: Trustar example uses objects

examples/trustar_misp.py

@@ -1,66 +1,59 @@
 from trustar import TruStar, datetime_to_millis
 from datetime import datetime, timedelta
 from keys import misp_url, misp_key, misp_verifycert
-from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
+from pymisp import PyMISP, MISPEvent, MISPOrganisation, MISPObject
+
+# enclave_ids = '7a33144f-aef3-442b-87d4-dbf70d8afdb0'  # RHISAC
+enclave_ids = None
+
+time_interval = {'days': 30, 'hours': 0}
+
+distribution = None  # Optional, defaults to MISP.default_event_distribution in MISP config
+threat_level_id = None  # Optional, defaults to MISP.default_event_threat_level in MISP config
+analysis = None  # Optional, defaults to 0 (initial analysis)
+
 
 
 tru = TruStar()
 
-misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+misp = PyMISP(misp_url, misp_key, misp_verifycert)
 
 now = datetime.now()
 
 # date range for pulling reports is last 4 hours when script is run
 to_time = datetime.now()
-from_time = to_time - timedelta(hours=4)
+from_time = to_time - timedelta(**time_interval)
 
 # convert to millis since epoch
 to_time = datetime_to_millis(to_time)
 from_time = datetime_to_millis(from_time)
 
-rhisac = "7a33144f-aef3-442b-87d4-dbf70d8afdb0"
-reports = tru.get_reports(from_time=from_time,
-                         to_time=to_time,
-                         is_enclave=True,
-                         enclave_ids=rhisac)
+if not enclave_ids:
+    reports = tru.get_reports(from_time=from_time,
+                              to_time=to_time)
+else:
+    reports = tru.get_reports(from_time=from_time,
+                          to_time=to_time,
+                          is_enclave=True,
+                          enclave_ids=enclave_ids)
 
 # loop through each trustar report and create MISP events for each
 for report in reports:
-    # initialize and set MISPOrganisation() 
-    orgc = MISPOrganisation()
-    orgc.name = 'RH-ISAC'
-    orgc.id = '#{ORGC.ID}' # organisation id
-    orgc.uuid = '#{ORGC.UUID}' # organisation uuid
     # initialize and set MISPEvent()
     event = MISPEvent()
-    event.Orgc = orgc
     event.info = report.title
-    event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
-    event.threat_level_id = 2  # Optional, defaults to MISP.default_event_threat_level in MISP config
-    event.analysis = 0  # Optional, defaults to 0 (initial analysis)
+    event.distribution = distribution
+    event.threat_level_id = threat_level_id
+    event.analysis = analysis
 
     # get tags for report
     for tag in tru.get_enclave_tags(report.id):
         event.add_tag(tag.name)
 
+    obj = MISPObject('trustar_report', standalone=False, strict=True)
     # get indicators for report
     for indicator in tru.get_indicators_for_report(report.id):
-        
-        # map trustar indicator type to MISP format
-        indicator_type = {
-            "MD5": "md5",
-            "SHA1": "sha1",
-            "SHA256": "sha256",
-            "SOFTWARE": "filename",
-            "URL": "link",
-            "EMAIL_ADDRESS": "email-src",
-            "IP": "ip-dst",
-            "MALWARE": "malware-type",
-            "CIDR_BLOCK": "ip-src",
-            "CVE": "vulnerability",
-            "THREAT_ACTOR": "threat-actor"
-        }
-        event.add_attribute(indicator_type.get(indicator.type), indicator.value)
-    
+        obj.add_attribute(indicator.type, indicator.value)
+    event.add_object(obj)
     # post each event to MISP via API
-    misp.add_event(event.to_json())
+    misp.add_event(event)

pymisp/data/misp-objects

@@ -1 +1 @@
-Subproject commit fa634803911d211f993049242d41eebaf342a9c4
+Subproject commit e6659c7c7ebdd8dd90af3a3e32c7ce002842f40b