yeti-platform · sebdraven · Mar 1, 2024 · Mar 1, 2024 · Mar 1, 2024 · Mar 1, 2024
diff --git a/core/common/misp_to_yeti.py b/core/common/misp_to_yeti.py
diff --git a/core/schemas/entity.py b/core/schemas/entity.py
@@ -24,6 +24,8 @@ class EntityType(str, Enum):
     tool = "tool"
     vulnerability = "vulnerability"
     course_of_action = "course-of-action"
+    location = "location"
+    exploit = "exploit"
 
 
 class Entity(YetiTagModel, database_arango.ArangoYetiConnector):
@@ -137,6 +139,29 @@ class Investigation(Entity):
     reference: str = ""
 
 
+class Location(Entity):
+    _type_filter: ClassVar[str] = EntityType.location
+    type: Literal[EntityType.location] = EntityType.location
+
+    location: str = ""
+    reference: str = ""
+    lat: float = 0.0
+    lon: float = 0.0
+    country: str = ""
+    city: str = ""
+    country_code: int = 0
+
+    def set_country_name_by_code(self, code: int):
+        import pycountry
+
+        self.country = pycountry.countries.get(numeric=str(code)).name
+
+    def set_country_code_by_name(self, name: str):
+        import pycountry
+
+        self.country_code = int(pycountry.countries.get(name=name).numeric)
+
+
 class SeverityType(str, Enum):
     none = "none"
     low = "low"
@@ -166,6 +191,17 @@ class Vulnerability(Entity):
     reference: str = ""
 
 
+class Exploit(Entity):
+    _type_filter: ClassVar[str] = EntityType.exploit
+    type: Literal[EntityType.exploit] = EntityType.exploit
+
+    reference: str = ""
+    description: str = ""
+    level: str = ""
+    software: str = ""
+    accessibility: str = ""
+
+
 class CourseOfAction(Entity):
     _type_filter: ClassVar[str] = EntityType.course_of_action
     type: Literal[EntityType.course_of_action] = EntityType.course_of_action
@@ -187,6 +223,7 @@ class CourseOfAction(Entity):
     EntityType.threat_actor: ThreatActor,
     EntityType.tool: Tool,
     EntityType.vulnerability: Vulnerability,
+    EntityType.exploit: Exploit,
 }
 
 TYPE_VALIDATOR_MAP = {}
@@ -225,6 +262,7 @@ def validate_entity(ent: Entity) -> bool:
     | ThreatActor
     | Tool
     | Vulnerability
+    | Exploit
 )
 
 
@@ -242,4 +280,5 @@ def validate_entity(ent: Entity) -> bool:
     | Type[ThreatActor]
     | Type[Tool]
     | Type[Vulnerability]
+    | Type[Exploit]
 )
diff --git a/core/schemas/indicator.py b/core/schemas/indicator.py
@@ -30,6 +30,7 @@ class IndicatorType(str, Enum):
     sigma = "sigma"
     query = "query"
     forensicartifact = "forensicartifact"
+    av_signature = "av_signature"
 
 
 class IndicatorMatch(BaseModel):
@@ -314,6 +315,15 @@ def save_indicators(self, create_links: bool = False):
         return indicators
 
 
+class av_signature(Indicator):
+    _type_filter: ClassVar[str] = IndicatorType.av_signature
+    type: Literal[IndicatorType.av_signature] = IndicatorType.av_signature
+    software: str = ""
+
+    def match(self, value: str) -> IndicatorMatch | None:
+        raise NotImplementedError
+
+
 ARTIFACT_INTERPOLATION_RE = re.compile(r"%%[a-z._]+%%")
 ARTIFACT_INTERPOLATION_RE_HKEY_USERS = re.compile(r"HKEY_USERS\\%%users.sid%%")
 
@@ -323,6 +333,7 @@ def save_indicators(self, create_links: bool = False):
     "sigma": Sigma,
     "query": Query,
     "forensicartifact": ForensicArtifact,
+    "av_signature": av_signature,
     "indicator": Indicator,
     "indicators": Indicator,
 }

diff --git a/core/schemas/observable.py b/core/schemas/observable.py
@@ -20,6 +20,7 @@ class ObservableType(str, Enum):
     certificate = "certificate"
     cidr = "cidr"
     command_line = "command_line"
+    cookie = "cookie"
     docker_image = "docker_image"
     email = "email"
     file = "file"
@@ -29,6 +30,7 @@ class ObservableType(str, Enum):
     imphash = "imphash"
     ipv4 = "ipv4"
     ipv6 = "ipv6"
+    jarm = "jarm"
     mac_address = "mac_address"
     md5 = "md5"
     generic = "generic"
@@ -194,6 +196,7 @@ def find_type(value: str) -> ObservableType | None:
     certificate,  # noqa: F401
     cidr,  # noqa: F401
     command_line,  # noqa: E402, F401
+    cookie,  # noqa: F401
     docker_image,  # noqa: F401
     email,  # noqa: F401
     file,  # noqa: F401
@@ -203,6 +206,7 @@ def find_type(value: str) -> ObservableType | None:
     imphash,  # noqa: F401
     ipv4,  # noqa: F401
     ipv6,  # noqa: F401
+    jarm,  # noqa: F401
     mac_address,  # noqa: F401
     md5,  # noqa: F401
     path,  # noqa: F401

diff --git a/core/schemas/observables/asn.py b/core/schemas/observables/asn.py
@@ -7,6 +7,7 @@ class ASN(observable.Observable):
     type: Literal[observable.ObservableType.asn] = observable.ObservableType.asn
     country: str | None = None
     description: str | None = None
+    name: str | None = None
 
 
 observable.TYPE_MAPPING[observable.ObservableType.asn] = ASN
diff --git a/core/schemas/observables/cookie.py b/core/schemas/observables/cookie.py
@@ -0,0 +1,26 @@
+import datetime
+from typing import Literal, Optional
+
+from core.schemas import observable
+
+
+class Cookie(observable.Observable):
+    type: Literal[observable.ObservableType.cookie] = observable.ObservableType.cookie
+
+    http_only: bool = False
+    secure: bool = False
+    type_cookie: Literal[
+        "Session management",
+        "Tracking",
+        "Personalization",
+        "Security",
+        "Exfiltration",
+        "Beaconing",
+        "Other",
+    ] = "Session management"
+    expires: Optional[datetime.datetime] = None
+    name: Optional[str] = None
+    cookie: Optional[str] = None
+
+
+observable.TYPE_MAPPING[observable.ObservableType.cookie] = Cookie
diff --git a/core/schemas/observables/jarm.py b/core/schemas/observables/jarm.py
@@ -0,0 +1,15 @@
+from typing import Literal
+
+from core.schemas import observable
+
+
+class Jarm(observable.Observable):
+    """Represents a JARM fingerprint.
+
+    Value should be in the form JARM:<HASH>.
+    """
+
+    type: Literal[observable.ObservableType.jarm] = observable.ObservableType.jarm
+
+
+observable.TYPE_MAPPING[observable.ObservableType.jarm] = Jarm
diff --git a/core/schemas/observables/path.py b/core/schemas/observables/path.py
@@ -1,10 +1,15 @@
+from datetime import datetime
 from typing import Literal
 
 from core.schemas import observable
 
 
 class Path(observable.Observable):
     type: Literal[observable.ObservableType.path] = observable.ObservableType.path
+    creation_time: datetime | None = None
+    modification_time: datetime | None = None
+    access_time: datetime | None = None
+    path_encoding: str | None = None
 
 
 observable.TYPE_MAPPING[observable.ObservableType.path] = Path
diff --git a/core/web/apiv2/import_data.py b/core/web/apiv2/import_data.py
@@ -1,13 +1,17 @@
+import json
+
 from fastapi import APIRouter, File, UploadFile
 
+from core.common.misp_to_yeti import MispToYeti
+
 router = APIRouter()
 
 
 @router.post("/import_misp_json", tags=["import_misp_json"])
 async def import_misp_json(misp_file_json: UploadFile = File(...)):
-    # contents = await misp_file_json.read()
-    # data_json = json.loads(contents)
+    contents = await misp_file_json.read()
+    data_json = json.loads(contents)
 
-    # converter = MispToYeti(data_json["Event"])
-    # converter.misp_to_yeti()
+    converter = MispToYeti(data_json["Event"])
+    converter.misp_to_yeti()
     return {"status": True}