Skip to content

Commit

Permalink
[greynoise-feed] Avoid string in AS
Browse files Browse the repository at this point in the history
  • Loading branch information
@SamuelHassine
SamuelHassine committed Sep 7, 2024
1 parent ad4fe7c commit 9a0b302
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 12 deletions.
11 changes: 11 additions & 0 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -353,6 +353,10 @@ jobs:
working_directory: ~/opencti/internal-enrichment/first-epss
name: Build Docker image opencti/connector-first-epss
command: docker build -t opencti/connector-first-epss:latest . && docker tag opencti/connector-first-epss:latest opencti/connector-first-epss:${CIRCLE_TAG}
- run:
working_directory: ~/opencti/internal-enrichment/reversinglabs-spectra-analyze
name: Build Docker image opencti/connector-reversinglabs-spectra-analyze
command: docker build -t opencti/connector-reversinglabs-spectra-analyze:latest . && docker tag opencti/connector-reversinglabs-spectra-analyze:latest opencti/connector-reversinglabs-spectra-analyze:${CIRCLE_TAG}
- run:
name: Publish Docker Image to Docker Hub
command: |
Expand Down Expand Up @@ -501,6 +505,8 @@ jobs:
docker push opencti/connector-group-ib:${CIRCLE_TAG}
docker push opencti/connector-first-epss:latest
docker push opencti/connector-first-epss:${CIRCLE_TAG}
docker push opencti/connector-reversinglabs-spectra-analyze:latest
docker push opencti/connector-reversinglabs-spectra-analyze:${CIRCLE_TAG}
- slack/notify:
event: fail
template: basic_fail_1
Expand Down Expand Up @@ -1261,6 +1267,10 @@ jobs:
working_directory: ~/opencti/internal-enrichment/first-epss
name: Build Docker image opencti/connector-first-epss
command: docker build -t opencti/connector-first-epss:rolling .
- run:
working_directory: ~/opencti/internal-enrichment/reversinglabs-spectra-analyze
name: Build Docker image opencti/connector-reversinglabs-spectra-analyze
command: docker build -t opencti/connector-reversinglabs-spectra-analyze:rolling .
- run:
name: Publish Docker Image to Docker Hub
command: |
Expand Down Expand Up @@ -1335,6 +1345,7 @@ jobs:
docker push opencti/connector-cofense:rolling
docker push opencti/connector-group-ib:rolling
docker push opencti/connector-first-epss:rolling
docker push opencti/connector-reversinglabs-spectra-analyze:rolling
- slack/notify:
event: fail
template: basic_fail_1
Expand Down
63 changes: 51 additions & 12 deletions external-import/greynoise-feed/src/main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from dateutil.parser import parse
from greynoise import GreyNoise
from pycti import (
Identity,
Indicator,
Location,
Malware,
Expand Down Expand Up @@ -371,29 +372,66 @@ def _process_data(self, work_id, session, ips_list):
# Metadata
if "metadata" in ip:
metadata = ip["metadata"]
stix_as = None
if "asn" in metadata:
stix_as = stix2.AutonomousSystem(
name=metadata["asn"],
number=metadata["asn"].replace("AS", ""),
object_marking_refs=[stix2.TLP_WHITE],
custom_properties={
"created_by_ref": self.identity["standard_id"],
},
try:
stix_as = stix2.AutonomousSystem(
name=metadata["asn"],
number=int(metadata["asn"].replace("AS", "")),
object_marking_refs=[stix2.TLP_WHITE],
custom_properties={
"created_by_ref": self.identity["standard_id"],
},
)
bundle_objects.append(stix_as)

stix_relationship_observable_as = stix2.Relationship(
id=StixCoreRelationship.generate_id(
"belongs-to", stix_observable.id, stix_as.id
),
relationship_type="belongs-to",
source_ref=stix_observable.id,
target_ref=stix_as.id,
created_by_ref=self.identity["standard_id"],
object_marking_refs=[stix2.TLP_WHITE],
)
bundle_objects.append(stix_relationship_observable_as)
except:
pass
if "organization" in metadata:
stix_organization = stix2.Identity(
id=Identity.generate_id(
metadata["organization"], "organization"
),
name=metadata["organization"],
identity_class="organization",
)
bundle_objects.append(stix_as)
bundle_objects.append(stix_organization)

stix_relationship_observable_as = stix2.Relationship(
stix_relationship_observable_organization = stix2.Relationship(
id=StixCoreRelationship.generate_id(
"belongs-to", stix_observable.id, stix_as.id
"belongs-to", stix_observable.id, stix_organization.id
),
relationship_type="belongs-to",
source_ref=stix_observable.id,
target_ref=stix_as.id,
target_ref=stix_organization.id,
created_by_ref=self.identity["standard_id"],
object_marking_refs=[stix2.TLP_WHITE],
)
bundle_objects.append(stix_relationship_observable_as)
bundle_objects.append(stix_relationship_observable_organization)

if stix_as is not None:
stix_relationship_as_organization = stix2.Relationship(
id=StixCoreRelationship.generate_id(
"related-to", stix_as.id, stix_organization.id
),
relationship_type="related-to",
source_ref=stix_as.id,
target_ref=stix_organization.id,
created_by_ref=self.identity["standard_id"],
object_marking_refs=[stix2.TLP_WHITE],
)
bundle_objects.append(stix_relationship_as_organization)
stix_city = None
if "city" in metadata:
stix_city = stix2.Location(
Expand Down Expand Up @@ -513,6 +551,7 @@ def _process_data(self, work_id, session, ips_list):
def run(self):
self.helper.log_info("GreyNoise feed - Initialization...")
while True:
self.labels_cache = {}
try:
# Get the current timestamp and check
now = datetime.now(pytz.UTC)
Expand Down

0 comments on commit 9a0b302

Please sign in to comment.