anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97c99a4e031ffe20e1e3056b9e1b6f871f947db9
DECNET/decnet/web/router/attackers/api_export_attackers_misp.py
anti 97c99a4e03 feat(ttp): rich ThreatActor STIX extensions via CustomExtension + CustomObject 
- stix_custom.py: DecnetActorFingerprintExt (@CustomExtension) wrapping
  network_behavior (os_guess/hop_distance/tcp_fingerprint/timing_stats/
  phase_sequence/behavior_class/beacon fields/tool_guesses) and
  protocol_fingerprints (ja3_hashes/hassh_hashes/kex_order_raw/
  ssh_client_banners/tls_cert_sha256/payload_simhashes/c2_endpoints).
  XDecnetBehaveProfile (@CustomObject x-decnet-behave-profile) carrying
  full BEHAVE-SHELL observation envelopes + kd_digraph_simhash.
  FINGERPRINT_EXT_DEF singleton extension-definition SDO.
- Drop legacy flat x_decnet_ja3_hashes / x_decnet_hassh_hashes /
  x_decnet_c2_endpoints (pre-v1, no consumers).
- stix_export: _threat_actor() wired to behavior + observations;
  build_attacker_bundle/build_fleet_bundle grow observations parameter.
- Repo: list_observations_by_attacker + get_all_observations_for_export
  abstract + sqlmodel impl; all four export endpoints extended.
- 18 new tests; inter-DECNET round-trip (stix2.parse → typed objects)
  is the primary fidelity assertion.
2026-05-09 08:52:19 -04:00

66 lines
2.1 KiB
Python
Raw Blame History

"""GET /api/v1/attackers/export/misp — fleet-wide MISP collection.
Returns a MISP collection JSON ({"response": [event, ...]}) with one event
per observed attacker, suitable for bulk import into a MISP instance via
"Import from MISP JSON" or the MISP REST /events/import endpoint.
Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
fleet mode. Use GET /api/v1/attackers/{uuid}/export/misp for full fidelity
on a single attacker.
"""
from __future__ import annotations
import asyncio
import json
from datetime import datetime, timezone
from typing import Any
from fastapi import APIRouter, Depends
from fastapi.responses import Response
from decnet.telemetry import traced as _traced
from decnet.ttp.misp_export import build_fleet_misp_collection
from decnet.web.dependencies import require_viewer, repo
router = APIRouter()
@router.get(
"/attackers/export/misp",
tags=["Attacker Profiles"],
response_class=Response,
responses={
200: {
"content": {"application/json": {}},
"description": "MISP collection for all attackers",
},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
},
)
@_traced("api.attackers.export_misp_fleet")
async def api_export_attackers_misp(
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a MISP collection JSON covering every observed attacker."""
rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
repo.get_all_attackers_for_export(),
repo.get_all_ttp_rollups_for_export(),
repo.get_all_observations_for_export(),
)
collection = build_fleet_misp_collection(
rows=rows,
ttp_by_attacker=ttp_by_attacker,
observations_by_attacker=obs_by_attacker,
)
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
return Response(
content=json.dumps(collection, default=str),
media_type="application/json",
headers={
"Content-Disposition": (
f'attachment; filename="decnet-fleet-{ts}.misp.json"'
),
},
)
Reference in New Issue View Git Blame Copy Permalink