anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(stix): STIX→MISP download export (per-attacker + fleet)

Browse Source 
Adds GET /api/v1/attackers/{uuid}/export/misp and
GET /api/v1/attackers/export/misp backed by misp_export.py, which
converts existing STIX bundles to MISP events via misp-stix
ExternalSTIX2toMISPParser. Fleet endpoint emits {response:[...]}
collection (one event per attacker). Frontend: STIX/MISP buttons on
AttackerDetail header and Attackers list. 13 new tests green.
This commit is contained in:
anti
2026-05-09 08:04:25 -04:00
parent 8990d9321d
commit 1200ac9132
9 changed files with 661 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
decnet/ttp/misp_export.py Normal file
View File

@@ -0,0 +1,109 @@
"""MISP event builder for DECNET attacker data.
Converts a STIX 2.1 Bundle (built by stix_export.build_attacker_bundle /
build_fleet_bundle) into MISP event dicts using the misp-stix library's
ExternalSTIX2toMISPParser.
Pure functions — no I/O. The caller (router) does all DB reads and passes
dicts; this module converts STIX → MISP JSON.
Output shapes
-------------
build_attacker_misp_event → dict (single MISP event, ready for import)
build_fleet_misp_collection → dict ({"response": [event, ...]})
"""
from __future__ import annotations
import json
from typing import Any
from misp_stix_converter import ExternalSTIX2toMISPParser
from decnet.ttp.stix_export import build_attacker_bundle
def _parse_bundle(bundle: Any) -> dict[str, Any]:
"""Run ExternalSTIX2toMISPParser on *bundle* and return the event dict.
Returns an empty dict if the parser produces no event (e.g. the bundle
contains only SCOs the parser can't promote to MISP attributes).
"""
parser = ExternalSTIX2toMISPParser()
parser.load_stix_bundle(bundle)
parser.parse_stix_bundle()
event = parser.misp_events
if event is None:
return {}
return json.loads(event.to_json())
def build_attacker_misp_event(
attacker: dict[str, Any],
behavior: dict[str, Any] | None,
identity: dict[str, Any] | None,
intel: dict[str, Any] | None,
technique_rollup: list[dict[str, Any]],
raw_tags: list[dict[str, Any]],
artifacts: list[dict[str, Any]],
smtp_targets: list[dict[str, Any]],
commands: list[str] | None = None,
) -> dict[str, Any]:
"""Return a MISP event dict for *attacker*.
All arguments match the signature of stix_export.build_attacker_bundle.
Never raises — conversion failures produce a minimal event dict.
"""
bundle = build_attacker_bundle(
attacker=attacker,
behavior=behavior,
identity=identity,
intel=intel,
technique_rollup=technique_rollup,
raw_tags=raw_tags,
artifacts=artifacts,
smtp_targets=smtp_targets,
commands=commands,
)
return _parse_bundle(bundle)
def build_fleet_misp_collection(
rows: list[dict[str, Any]],
ttp_by_attacker: dict[str, list[dict[str, Any]]],
) -> dict[str, Any]:
"""Return a MISP collection dict with one event per attacker in *rows*.
Shape: ``{"response": [event_dict, ...]}``. Suitable for MISP's
"Import from MISP JSON" / REST collection endpoint.
Attackers that produce no parseable MISP event (very unlikely — an
attacker always has at least an IP) are silently omitted.
"""
events: list[dict[str, Any]] = []
for row in rows:
raw_cmds = row.get("commands") or []
if isinstance(raw_cmds, str):
try:
raw_cmds = json.loads(raw_cmds)
except Exception:
raw_cmds = []
cmds = [
str(e.get("command_text") or e.get("command") or "").strip()
for e in raw_cmds
if isinstance(e, dict) and (e.get("command_text") or e.get("command"))
]
bundle = build_attacker_bundle(
attacker=row,
behavior=None,
identity=None,
intel=row.get("threat_intel"),
technique_rollup=ttp_by_attacker.get(row["uuid"], []),
raw_tags=[],
artifacts=[],
smtp_targets=[],
commands=cmds,
)
event = _parse_bundle(bundle)
if event:
events.append(event)
return {"response": events}

4
decnet/web/router/__init__.py
View File

@@ -17,6 +17,8 @@ from .attackers.api_get_attackers import router as attackers_router
from .attackers.api_export_attackers import router as attackers_export_router
from .attackers.api_export_attacker_stix import router as attacker_export_stix_router
from .attackers.api_export_attackers_stix import router as attackers_export_stix_router
from .attackers.api_export_attacker_misp import router as attacker_export_misp_router
from .attackers.api_export_attackers_misp import router as attackers_export_misp_router
from .attackers.api_events import router as attacker_events_router
from .attackers.api_get_attacker_detail import router as attacker_detail_router
from .attackers.api_get_attacker_commands import router as attacker_commands_router
@@ -109,6 +111,8 @@ api_router.include_router(attackers_router)
api_router.include_router(attackers_export_router)
api_router.include_router(attackers_export_stix_router)
api_router.include_router(attacker_export_stix_router)
api_router.include_router(attackers_export_misp_router)
api_router.include_router(attacker_export_misp_router)
api_router.include_router(attacker_detail_router)
api_router.include_router(attacker_events_router)
api_router.include_router(attacker_commands_router)

100
decnet/web/router/attackers/api_export_attacker_misp.py Normal file
View File

@@ -0,0 +1,100 @@
"""GET /api/v1/attackers/{uuid}/export/misp — MISP event for one attacker.
Converts the attacker's STIX 2.1 bundle to a MISP event JSON file via
misp-stix (ExternalSTIX2toMISPParser). Download the result and import it
into any MISP instance via "Import from MISP JSON".
"""
from __future__ import annotations
import asyncio
import json
from typing import Any, cast
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.responses import Response
from decnet.telemetry import traced as _traced
from decnet.ttp.misp_export import build_attacker_misp_event
from decnet.web.dependencies import require_viewer, repo
router = APIRouter()
async def _none() -> None:
return None
@router.get(
"/attackers/{uuid}/export/misp",
tags=["Attacker Profiles"],
response_class=Response,
responses={
200: {
"content": {"application/json": {}},
"description": "MISP event for the attacker",
},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Attacker not found"},
},
)
@_traced("api.attackers.export_misp")
async def api_export_attacker_misp(
uuid: str,
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a MISP event JSON for one attacker."""
attacker = await repo.get_attacker_by_uuid(uuid)
if not attacker:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=f"unknown attacker uuid: {uuid!r}",
)
identity_coro = (
repo.get_identity_by_uuid(attacker["identity_id"])
if attacker.get("identity_id")
else _none()
)
results = await asyncio.gather(
repo.get_attacker_behavior(uuid),
identity_coro,
repo.get_attacker_intel_by_uuid(uuid),
repo.list_techniques_by_attacker(uuid),
repo.list_ttp_tags_by_attacker(uuid),
repo.get_attacker_artifacts(uuid),
repo.list_smtp_targets(uuid),
repo.list_attacker_commands_deduped(uuid),
)
behavior = cast(dict[str, Any] | None, results[0])
identity = cast(dict[str, Any] | None, results[1])
intel = cast(dict[str, Any] | None, results[2])
technique_rollup = cast(list[Any], results[3])
raw_tags = cast(list[dict[str, Any]], results[4])
artifacts = cast(list[dict[str, Any]], results[5])
smtp_targets = cast(list[dict[str, Any]], results[6])
commands = cast(list[str], results[7])
event = build_attacker_misp_event(
attacker=attacker,
behavior=behavior,
identity=identity,
intel=intel,
technique_rollup=[
r.model_dump() if hasattr(r, "model_dump") else dict(r)
for r in technique_rollup
],
raw_tags=raw_tags,
artifacts=artifacts,
smtp_targets=smtp_targets,
commands=commands,
)
return Response(
content=json.dumps(event, default=str),
media_type="application/json",
headers={
"Content-Disposition": (
f'attachment; filename="decnet-attacker-{uuid[:8]}.misp.json"'
),
},
)

63
decnet/web/router/attackers/api_export_attackers_misp.py Normal file
View File

@@ -0,0 +1,63 @@
"""GET /api/v1/attackers/export/misp — fleet-wide MISP collection.
Returns a MISP collection JSON ({"response": [event, ...]}) with one event
per observed attacker, suitable for bulk import into a MISP instance via
"Import from MISP JSON" or the MISP REST /events/import endpoint.
Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
fleet mode. Use GET /api/v1/attackers/{uuid}/export/misp for full fidelity
on a single attacker.
"""
from __future__ import annotations
import asyncio
import json
from datetime import datetime, timezone
from typing import Any
from fastapi import APIRouter, Depends
from fastapi.responses import Response
from decnet.telemetry import traced as _traced
from decnet.ttp.misp_export import build_fleet_misp_collection
from decnet.web.dependencies import require_viewer, repo
router = APIRouter()
@router.get(
"/attackers/export/misp",
tags=["Attacker Profiles"],
response_class=Response,
responses={
200: {
"content": {"application/json": {}},
"description": "MISP collection for all attackers",
},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
},
)
@_traced("api.attackers.export_misp_fleet")
async def api_export_attackers_misp(
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a MISP collection JSON covering every observed attacker."""
rows, ttp_by_attacker = await asyncio.gather(
repo.get_all_attackers_for_export(),
repo.get_all_ttp_rollups_for_export(),
)
collection = build_fleet_misp_collection(
rows=rows,
ttp_by_attacker=ttp_by_attacker,
)
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
return Response(
content=json.dumps(collection, default=str),
media_type="application/json",
headers={
"Content-Disposition": (
f'attachment; filename="decnet-fleet-{ts}.misp.json"'
),
},
)