anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42b5d97a50dbf9694fc5fb669cbb637d5874cedc
DECNET/decnet/web/router/attackers/api_export_attacker_misp.py
anti 4c6b12dcf8 feat(stix_export): wire fingerprint bounties through all endpoints + tests 
Remaining files from the fingerprint-bounties + characterizes-SRO commit:
misp_export, repository, bounties mixin, all 4 router endpoints, and test suite
updates. Prerequisite: previous commit added _extract_fingerprint_bounty_data
and the stix_export changes.
2026-05-09 09:14:48 -04:00

107 lines
3.5 KiB
Python
Raw Blame History

"""GET /api/v1/attackers/{uuid}/export/misp — MISP event for one attacker.
Converts the attacker's STIX 2.1 bundle to a MISP event JSON file via
misp-stix (ExternalSTIX2toMISPParser). Download the result and import it
into any MISP instance via "Import from MISP JSON".
"""
from __future__ import annotations
import asyncio
import json
from typing import Any, cast
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.responses import Response
from decnet.telemetry import traced as _traced
from decnet.ttp.misp_export import build_attacker_misp_event
from decnet.web.dependencies import require_viewer, repo
router = APIRouter()
async def _none() -> None:
return None
@router.get(
"/attackers/{uuid}/export/misp",
tags=["Attacker Profiles"],
response_class=Response,
responses={
200: {
"content": {"application/json": {}},
"description": "MISP event for the attacker",
},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Attacker not found"},
},
)
@_traced("api.attackers.export_misp")
async def api_export_attacker_misp(
uuid: str,
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a MISP event JSON for one attacker."""
attacker = await repo.get_attacker_by_uuid(uuid)
if not attacker:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=f"unknown attacker uuid: {uuid!r}",
)
identity_coro = (
repo.get_identity_by_uuid(attacker["identity_id"])
if attacker.get("identity_id")
else _none()
)
results = await asyncio.gather(
repo.get_attacker_behavior(uuid),
identity_coro,
repo.get_attacker_intel_by_uuid(uuid),
repo.list_techniques_by_attacker(uuid),
repo.list_ttp_tags_by_attacker(uuid),
repo.get_attacker_artifacts(uuid),
repo.list_smtp_targets(uuid),
repo.list_attacker_commands_deduped(uuid),
repo.list_observations_by_attacker(uuid),
repo.get_fingerprint_bounties_by_ip(attacker["ip"]),
)
behavior = cast(dict[str, Any] | None, results[0])
identity = cast(dict[str, Any] | None, results[1])
intel = cast(dict[str, Any] | None, results[2])
technique_rollup = cast(list[Any], results[3])
raw_tags = cast(list[dict[str, Any]], results[4])
artifacts = cast(list[dict[str, Any]], results[5])
smtp_targets = cast(list[dict[str, Any]], results[6])
commands = cast(list[str], results[7])
observations = cast(list[dict[str, Any]], results[8])
fingerprint_bounties = cast(list[dict[str, Any]], results[9])
event = build_attacker_misp_event(
attacker=attacker,
behavior=behavior,
identity=identity,
intel=intel,
technique_rollup=[
r.model_dump() if hasattr(r, "model_dump") else dict(r)
for r in technique_rollup
],
raw_tags=raw_tags,
artifacts=artifacts,
smtp_targets=smtp_targets,
commands=commands,
observations=observations,
fingerprint_bounties=fingerprint_bounties,
)
return Response(
content=json.dumps(event, default=str),
media_type="application/json",
headers={
"Content-Disposition": (
f'attachment; filename="decnet-attacker-{uuid[:8]}.misp.json"'
),
},
)
Reference in New Issue View Git Blame Copy Permalink