feat(stix): STIX→MISP download export (per-attacker + fleet)

Adds GET /api/v1/attackers/{uuid}/export/misp and GET /api/v1/attackers/export/misp backed by misp_export.py, which converts existing STIX bundles to MISP events via misp-stix ExternalSTIX2toMISPParser. Fleet endpoint emits {response:[...]} collection (one event per attacker). Frontend: STIX/MISP buttons on AttackerDetail header and Attackers list. 13 new tests green.
2026-05-09 08:04:25 -04:00
parent 8990d9321d
commit 1200ac9132
9 changed files with 661 additions and 17 deletions
--- a/decnet/web/router/attackers/api_export_attackers_misp.py
+++ b/decnet/web/router/attackers/api_export_attackers_misp.py
@@ -0,0 +1,63 @@
+"""GET /api/v1/attackers/export/misp — fleet-wide MISP collection.
+
+Returns a MISP collection JSON ({"response": [event, ...]}) with one event
+per observed attacker, suitable for bulk import into a MISP instance via
+"Import from MISP JSON" or the MISP REST /events/import endpoint.
+
+Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
+fleet mode. Use GET /api/v1/attackers/{uuid}/export/misp for full fidelity
+on a single attacker.
+"""
+from __future__ import annotations
+
+import asyncio
+import json
+from datetime import datetime, timezone
+from typing import Any
+
+from fastapi import APIRouter, Depends
+from fastapi.responses import Response
+
+from decnet.telemetry import traced as _traced
+from decnet.ttp.misp_export import build_fleet_misp_collection
+from decnet.web.dependencies import require_viewer, repo
+
+router = APIRouter()
+
+
+@router.get(
+    "/attackers/export/misp",
+    tags=["Attacker Profiles"],
+    response_class=Response,
+    responses={
+        200: {
+            "content": {"application/json": {}},
+            "description": "MISP collection for all attackers",
+        },
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+    },
+)
+@_traced("api.attackers.export_misp_fleet")
+async def api_export_attackers_misp(
+    user: dict[str, Any] = Depends(require_viewer),
+) -> Response:
+    """Download a MISP collection JSON covering every observed attacker."""
+    rows, ttp_by_attacker = await asyncio.gather(
+        repo.get_all_attackers_for_export(),
+        repo.get_all_ttp_rollups_for_export(),
+    )
+    collection = build_fleet_misp_collection(
+        rows=rows,
+        ttp_by_attacker=ttp_by_attacker,
+    )
+    ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
+    return Response(
+        content=json.dumps(collection, default=str),
+        media_type="application/json",
+        headers={
+            "Content-Disposition": (
+                f'attachment; filename="decnet-fleet-{ts}.misp.json"'
+            ),
+        },
+    )