Support: how do I convert a Sighting SRO into a MISP object

[mavam]

Support Questions

My use case is as follows. I have a valid instance of a stix2.Sighting object that I'd like to ultimately pass to a PyMISP instance via misp.add_sighting(...). What's the API for that?

I saw there is a class STIX2toMISPParser, but it seems to accept a STIX Bundle, or something else I don't have. Should I wrap my sighting into a STIX Bundle?

My user expectation was: I can call some function convert that takes a given STIX2 object and Does The Right thing in terms of conversion to MISP Object, Event, or Attribute (perhaps with hints).

Code of Conduct

• I agree to follow this project's Code of Conduct

[mavam]

So I found this function:

    def _load_sighting(self, sighting: _SIGHTING_TYPING):
        misp_sighting = MISPSighting()
        sighting_args = {
            'date_sighting': self._timestamp_from_date(sighting.modified),
            'type': '0'
        }
        if hasattr(sighting, 'description'):
            sighting_args['source'] = sighting.description
        if hasattr(sighting, 'where_sighted_refs'):
            identity = self._identity[sighting.where_sighted_refs[0]]['stix_object']
            sighting_args['Organisation'] = {
                'uuid': identity.id.split('--')[1],
                'name': identity.name
            }
        misp_sighting.from_dict(**sighting_args)
        try:
            self._sighting[sighting.sighting_of_ref.split('--')[1]].append(misp_sighting)
        except AttributeError:
            self._sighting = defaultdict(list)
            self._sighting[sighting.sighting_of_ref.split('--')[1]].append(misp_sighting)

It goes in the right direction, and potentially may work in cases, but my use case is slightly different. I'm getting a Sighting SDO from anywhere, meaning, I may not have a corresponding UUID in MISP for it. I'm purely interesting in reporting it to MISP through the values contained in the Observed Data in the Sighting. The API call I have in mind is like this:

sighting = pymisp.MISPSighting()
sighting.from_dict(
        value=extract_value_from_stix_sighting(...),
        type="0", # true positive
        timestamp=11111111,
        )

Since a sighting can have N instances of Observed Data, the function I am looking for would create N instances of a MISPSighting.

[mavam]

As I am going down the rabbit hole, here's an attempt to wrap my Sighting into a bundle to load it afterwards:

        parser = misp_stix_converter.ExternalSTIX2toMISPParser()
        bundle = stix2.Bundle(objects=sighting)
        parser.load_stix_bundle(bundle)
        del bundle
        parser.parse_stix_bundle()
        logger.debug(parser.misp_event.to_dict())

The input looks like this:

{"type": "bundle", "id": "bundle--cd32a28e-c305-49ca-8e60-6190e9304aad", "objects": [{"type": "sighting", "spec_version": "2.1", "id": "sighting--94518f15-2cff-43e2-8872-9b86d6cac87d", "created": "2022-08-05T13:54:09.01016Z", "modified": "2022-08-05T13:54:09.01016Z", "sighting_of_ref": "indicator--17faa18a-7ae2-4816-96e7-e2ff11607104", "observed_data_refs": ["observed-data--5ac81e34-5dcb-4786-9b52-4da7a9738967"]}]}

But the output is an empty event:

{'uuid': 'cd32a28e-c305-49ca-8e60-6190e9304aad', 'info': 'STIX 2.1 Bundle imported with the MISP-STIX import feature.'}

Before I go deeper, I'll let you chime in. 🙂

[chrisr3d]

Hey,
We recently had a discussion about STIX Sightings import with @iglocska and we will need some changes on MISP to support that feature correctly.
We'll probably work on this soon

(Also thanks for the additional details that provide more context 😉)

[mavam]

Good to know, thanks!

Until then I'll unpack the Sighting by hand.

[aryabharat]

@chrisr3d Are we planning to add support for location in STIX Sighting import?