work in progress for mandiant threat intel integration, cisagov#358

mmguero-dev · Nov 6, 2024 · 1e14ac4 · 1e14ac4
1 parent c02b1b8
commit 1e14ac4
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py
@@ -255,6 +255,9 @@ def map_mandiant_indicator_to_zeek(
         tags = []
 
         zeekItem[ZEEK_INTEL_INDICATOR_TYPE] = "Intel::" + zeek_type
+
+        if hasattr(indicator, 'id'):
+            zeekItem[ZEEK_INTEL_META_DESC] = indicator.id
         if hasattr(indicator, 'mscore'):
             zeekItem[ZEEK_INTEL_CIF_CONFIDENCE] = str(round(indicator.mscore / 10))
         if hasattr(indicator, 'first_seen'):
@@ -282,9 +285,6 @@ def map_mandiant_indicator_to_zeek(
         if tags:
             zeekItem[ZEEK_INTEL_CIF_TAGS] = ','.join(tags)
 
-        # ZEEK_INTEL_META_DESC = 'meta.desc'
-        # ZEEK_INTEL_META_URL = 'meta.url'
-
         if isinstance(indicator, mandiant_threatintel.MD5Indicator):
             pass
             # the MD5Indicator class can actually have multiple types of hashes,