feat(stix): STIX→MISP download export (per-attacker + fleet)

Adds GET /api/v1/attackers/{uuid}/export/misp and GET /api/v1/attackers/export/misp backed by misp_export.py, which converts existing STIX bundles to MISP events via misp-stix ExternalSTIX2toMISPParser. Fleet endpoint emits {response:[...]} collection (one event per attacker). Frontend: STIX/MISP buttons on AttackerDetail header and Attackers list. 13 new tests green.
2026-05-09 08:04:25 -04:00
parent 8990d9321d
commit 1200ac9132
9 changed files with 661 additions and 17 deletions
--- a/decnet/web/router/init.py
+++ b/decnet/web/router/init.py
@@ -17,6 +17,8 @@ from .attackers.api_get_attackers import router as attackers_router
 from .attackers.api_export_attackers import router as attackers_export_router
 from .attackers.api_export_attacker_stix import router as attacker_export_stix_router
 from .attackers.api_export_attackers_stix import router as attackers_export_stix_router
+from .attackers.api_export_attacker_misp import router as attacker_export_misp_router
+from .attackers.api_export_attackers_misp import router as attackers_export_misp_router
 from .attackers.api_events import router as attacker_events_router
 from .attackers.api_get_attacker_detail import router as attacker_detail_router
 from .attackers.api_get_attacker_commands import router as attacker_commands_router
@@ -109,6 +111,8 @@ api_router.include_router(attackers_router)
 api_router.include_router(attackers_export_router)
 api_router.include_router(attackers_export_stix_router)
 api_router.include_router(attacker_export_stix_router)
+api_router.include_router(attackers_export_misp_router)
+api_router.include_router(attacker_export_misp_router)
 api_router.include_router(attacker_detail_router)
 api_router.include_router(attacker_events_router)
 api_router.include_router(attacker_commands_router)
--- a/decnet/web/router/attackers/api_export_attacker_misp.py
+++ b/decnet/web/router/attackers/api_export_attacker_misp.py
@@ -0,0 +1,100 @@
+"""GET /api/v1/attackers/{uuid}/export/misp — MISP event for one attacker.
+
+Converts the attacker's STIX 2.1 bundle to a MISP event JSON file via
+misp-stix (ExternalSTIX2toMISPParser). Download the result and import it
+into any MISP instance via "Import from MISP JSON".
+"""
+from __future__ import annotations
+
+import asyncio
+import json
+from typing import Any, cast
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.responses import Response
+
+from decnet.telemetry import traced as _traced
+from decnet.ttp.misp_export import build_attacker_misp_event
+from decnet.web.dependencies import require_viewer, repo
+
+router = APIRouter()
+
+
+async def _none() -> None:
+    return None
+
+
+@router.get(
+    "/attackers/{uuid}/export/misp",
+    tags=["Attacker Profiles"],
+    response_class=Response,
+    responses={
+        200: {
+            "content": {"application/json": {}},
+            "description": "MISP event for the attacker",
+        },
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+        404: {"description": "Attacker not found"},
+    },
+)
+@_traced("api.attackers.export_misp")
+async def api_export_attacker_misp(
+    uuid: str,
+    user: dict[str, Any] = Depends(require_viewer),
+) -> Response:
+    """Download a MISP event JSON for one attacker."""
+    attacker = await repo.get_attacker_by_uuid(uuid)
+    if not attacker:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"unknown attacker uuid: {uuid!r}",
+        )
+
+    identity_coro = (
+        repo.get_identity_by_uuid(attacker["identity_id"])
+        if attacker.get("identity_id")
+        else _none()
+    )
+    results = await asyncio.gather(
+        repo.get_attacker_behavior(uuid),
+        identity_coro,
+        repo.get_attacker_intel_by_uuid(uuid),
+        repo.list_techniques_by_attacker(uuid),
+        repo.list_ttp_tags_by_attacker(uuid),
+        repo.get_attacker_artifacts(uuid),
+        repo.list_smtp_targets(uuid),
+        repo.list_attacker_commands_deduped(uuid),
+    )
+    behavior = cast(dict[str, Any] | None, results[0])
+    identity = cast(dict[str, Any] | None, results[1])
+    intel = cast(dict[str, Any] | None, results[2])
+    technique_rollup = cast(list[Any], results[3])
+    raw_tags = cast(list[dict[str, Any]], results[4])
+    artifacts = cast(list[dict[str, Any]], results[5])
+    smtp_targets = cast(list[dict[str, Any]], results[6])
+    commands = cast(list[str], results[7])
+
+    event = build_attacker_misp_event(
+        attacker=attacker,
+        behavior=behavior,
+        identity=identity,
+        intel=intel,
+        technique_rollup=[
+            r.model_dump() if hasattr(r, "model_dump") else dict(r)
+            for r in technique_rollup
+        ],
+        raw_tags=raw_tags,
+        artifacts=artifacts,
+        smtp_targets=smtp_targets,
+        commands=commands,
+    )
+    return Response(
+        content=json.dumps(event, default=str),
+        media_type="application/json",
+        headers={
+            "Content-Disposition": (
+                f'attachment; filename="decnet-attacker-{uuid[:8]}.misp.json"'
+            ),
+        },
+    )
--- a/decnet/web/router/attackers/api_export_attackers_misp.py
+++ b/decnet/web/router/attackers/api_export_attackers_misp.py
@@ -0,0 +1,63 @@
+"""GET /api/v1/attackers/export/misp — fleet-wide MISP collection.
+
+Returns a MISP collection JSON ({"response": [event, ...]}) with one event
+per observed attacker, suitable for bulk import into a MISP instance via
+"Import from MISP JSON" or the MISP REST /events/import endpoint.
+
+Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
+fleet mode. Use GET /api/v1/attackers/{uuid}/export/misp for full fidelity
+on a single attacker.
+"""
+from __future__ import annotations
+
+import asyncio
+import json
+from datetime import datetime, timezone
+from typing import Any
+
+from fastapi import APIRouter, Depends
+from fastapi.responses import Response
+
+from decnet.telemetry import traced as _traced
+from decnet.ttp.misp_export import build_fleet_misp_collection
+from decnet.web.dependencies import require_viewer, repo
+
+router = APIRouter()
+
+
+@router.get(
+    "/attackers/export/misp",
+    tags=["Attacker Profiles"],
+    response_class=Response,
+    responses={
+        200: {
+            "content": {"application/json": {}},
+            "description": "MISP collection for all attackers",
+        },
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+    },
+)
+@_traced("api.attackers.export_misp_fleet")
+async def api_export_attackers_misp(
+    user: dict[str, Any] = Depends(require_viewer),
+) -> Response:
+    """Download a MISP collection JSON covering every observed attacker."""
+    rows, ttp_by_attacker = await asyncio.gather(
+        repo.get_all_attackers_for_export(),
+        repo.get_all_ttp_rollups_for_export(),
+    )
+    collection = build_fleet_misp_collection(
+        rows=rows,
+        ttp_by_attacker=ttp_by_attacker,
+    )
+    ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
+    return Response(
+        content=json.dumps(collection, default=str),
+        media_type="application/json",
+        headers={
+            "Content-Disposition": (
+                f'attachment; filename="decnet-fleet-{ts}.misp.json"'
+            ),
+        },
+    )