anti
97c99a4e03
- stix_custom.py: DecnetActorFingerprintExt (@CustomExtension) wrapping network_behavior (os_guess/hop_distance/tcp_fingerprint/timing_stats/ phase_sequence/behavior_class/beacon fields/tool_guesses) and protocol_fingerprints (ja3_hashes/hassh_hashes/kex_order_raw/ ssh_client_banners/tls_cert_sha256/payload_simhashes/c2_endpoints). XDecnetBehaveProfile (@CustomObject x-decnet-behave-profile) carrying full BEHAVE-SHELL observation envelopes + kd_digraph_simhash. FINGERPRINT_EXT_DEF singleton extension-definition SDO. - Drop legacy flat x_decnet_ja3_hashes / x_decnet_hassh_hashes / x_decnet_c2_endpoints (pre-v1, no consumers). - stix_export: _threat_actor() wired to behavior + observations; build_attacker_bundle/build_fleet_bundle grow observations parameter. - Repo: list_observations_by_attacker + get_all_observations_for_export abstract + sqlmodel impl; all four export endpoints extended. - 18 new tests; inter-DECNET round-trip (stix2.parse → typed objects) is the primary fidelity assertion.
75 lines
2.4 KiB
Python
75 lines
2.4 KiB
Python
"""GET /api/v1/attackers/export/stix — fleet-wide STIX 2.1 bundle.
|
|
|
|
Returns a self-contained STIX 2.1 Bundle covering every attacker the
|
|
instance has observed. Attack-pattern SDOs carry canonical MITRE STIX IDs
|
|
and are deduplicated across attackers — consumers who already have the
|
|
public ATT&CK bundle won't accumulate duplicates.
|
|
|
|
Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
|
|
fleet mode. Use GET /api/v1/attackers/{uuid}/export/stix for full fidelity
|
|
on a single attacker.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
from typing import Any
|
|
|
|
from fastapi import APIRouter, Depends
|
|
from fastapi.responses import Response
|
|
|
|
from decnet.telemetry import traced as _traced
|
|
from decnet.ttp.stix_export import build_fleet_bundle
|
|
from decnet.web.dependencies import require_viewer, repo
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.get(
|
|
"/attackers/export/stix",
|
|
tags=["Attacker Profiles"],
|
|
response_class=Response,
|
|
responses={
|
|
200: {
|
|
"content": {"application/json": {}},
|
|
"description": "STIX 2.1 bundle for all attackers",
|
|
},
|
|
401: {"description": "Could not validate credentials"},
|
|
403: {"description": "Insufficient permissions"},
|
|
},
|
|
)
|
|
@_traced("api.attackers.export_stix_fleet")
|
|
async def api_export_attackers_stix(
|
|
user: dict[str, Any] = Depends(require_viewer),
|
|
) -> Response:
|
|
"""Download a STIX 2.1 bundle covering every observed attacker."""
|
|
rows, ttp_by_attacker, obs_by_attacker = await _gather_fleet_data()
|
|
bundle = build_fleet_bundle(
|
|
rows=rows,
|
|
ttp_by_attacker=ttp_by_attacker,
|
|
observations_by_attacker=obs_by_attacker,
|
|
)
|
|
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
|
|
return Response(
|
|
content=bundle.serialize(pretty=True, indent=2),
|
|
media_type="application/json",
|
|
headers={
|
|
"Content-Disposition": (
|
|
f'attachment; filename="decnet-fleet-{ts}.stix.json"'
|
|
),
|
|
},
|
|
)
|
|
|
|
|
|
async def _gather_fleet_data() -> tuple[
|
|
list[dict[str, Any]],
|
|
dict[str, list[dict[str, Any]]],
|
|
dict[str, list[dict[str, Any]]],
|
|
]:
|
|
import asyncio
|
|
rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
|
|
repo.get_all_attackers_for_export(),
|
|
repo.get_all_ttp_rollups_for_export(),
|
|
repo.get_all_observations_for_export(),
|
|
)
|
|
return rows, ttp_by_attacker, obs_by_attacker
|