colander_data_converter.converters.misp.converter

class colander_data_converter.converters.misp.converter.ColanderToMISPMapper

Bases: MISPMapper

Mapper class for converting Colander objects to MISP format.

Handles the conversion of various Colander entity types (threats, actors, events, artifacts, etc.) to their corresponding MISP object representations using predefined mapping configurations.

static get_element_from_event(event, uuid, types)

Retrieve an element (object or attribute) from a MISP event by UUID and type.

Parameters:

• event (MISPEvent) – The MISP event to search within.

• uuid (str) – The UUID of the element to find.

• types (List[str]) – List of types to search for (“object”, “attribute”).

Returns:

The found element and its type as a string (“Object” or “Attribute”), or (None, None) if not found.

Return type:

Tuple[MISPObject | MISPAttribute | None, str | None]

convert_case(case, feed)

Convert a Colander Case and its associated ColanderFeed into a MISPEvent.

This method performs the following steps:

1. Initializes a new MISPEvent using the case information.

2. Iterates over all entities in the feed, converting each to a MISP object or attribute.

   • Entities that cannot be converted are added to the skipped list.

   • MISPAttributes are added as attributes to the event.

   • MISPObjects are added as objects to the event.

3. Processes immutable relations for each entity, adding corresponding relationships or tags to the event.

4. Processes regular (non-immutable) relations for each entity, adding relationships to the event.

5. Returns the constructed MISPEvent and a list of skipped entities.

Parameters:

• case (Case) – The Colander case to convert.

• feed (ColanderFeed) – The feed containing entities and relations to convert.

Returns:

The resulting MISPEvent and a list of entities that were skipped during conversion.

Return type:

Tuple[MISPEvent | None, List[Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator=’colander_internal_type’)]]]

convert_colander_object(colander_object)

Convert a Colander object to its corresponding MISP representation.

This method performs the core conversion logic by:

1. Looking up the appropriate mapping for the Colander object type

2. Creating the corresponding MISP object (Attribute or Object)

3. Mapping fields, literals, and attributes from Colander to MISP format

Parameters:

colander_object (Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator='colander_internal_type')]) – The Colander object to convert

Returns:

The converted MISP object, or None if no mapping exists

Return type:

AbstractMISP | TagStub | None

convert_immutable_relations(event, colander_object)

Create relationships in a MISP event based on the Colander object’s immutable relations.

This method processes each immutable relation defined in the Colander object, determines the appropriate mapping and direction, and adds the corresponding relationship or tag to the MISP event.

Parameters:

• event (MISPEvent) – The MISP event to which relationships or tags will be added.

• colander_object (Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator='colander_internal_type')]) – The Colander object containing immutable relations.

Note

• If the relation mapping specifies ‘use_tag’, a tag is added to the relevant MISP attribute.

• Otherwise, a relationship is created between MISP objects or attributes as defined by the mapping.

convert_relations(event, colander_relations)

Create relationships in a MISP event based on a list of Colander relations.

This method finds the corresponding MISP objects or attributes for each relation and adds the relationship to the source object.

Parameters:

• event (MISPEvent) – The MISP event to which relationships will be added.

• colander_relations (List[EntityRelation]) – List of Colander relations to convert.

class colander_data_converter.converters.misp.converter.MISPConverter

Bases: object

Converter for MISP data to Colander data and vice versa. Uses the mapping file to convert between formats.

static colander_to_misp(colander_feed)

Convert a Colander feed to a list of MISP events. Each Colander case is converted to a MISP event.

Parameters:

colander_feed (ColanderFeed) – The Colander feed containing cases to convert.

Returns:

A list of MISP events, or None if no cases are found.

Return type:

List[MISPEvent] | None

static misp_to_colander(misp_feed)

Convert a MISP feed to a list of Colander feeds. Each MISP event is converted to a separate Colander feed.

Parameters:

misp_feed (MISPFeed) – The MISP feed containing events to convert.

Returns:

A list of Colander feeds, or None if no events are found.

Return type:

List[ColanderFeed] | None

class colander_data_converter.converters.misp.converter.MISPMapper

Bases: object

Base mapper class for MISP conversions.

Provides common functionality for mapping Colander data structures to MISP objects.

static tlp_level_to_tag(tlp_level)

Convert a Colander TLP (Traffic Light Protocol) level to a MISP tag.

Parameters:

tlp_level (TlpPapLevel) – The TLP level to convert

Returns:

A MISP tag object with the TLP level name

Return type:

MISPTag

class colander_data_converter.converters.misp.converter.MISPToColanderMapper

Bases: MISPMapper

convert_attribute(misp_attribute, event_tags=None)

Return type:

Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator=’colander_internal_type’)] | None

convert_attributes(misp_event)

Return type:

List[Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator=’colander_internal_type’)]]

convert_misp_event(event)

Convert a MISPEvent into a Colander case and feed.

This method performs the following steps:

1. Creates a new Case instance using the event information.

2. Initializes a ColanderFeed and adds the case to it.

3. Converts all MISP objects in the event to Colander entities and adds them to the feed.

4. Converts all MISP attributes in the event to Colander entities and adds them to the feed.

5. Converts all relations in the event to Colander relations and adds them to the feed.

6. Returns the constructed Case and ColanderFeed.

Parameters:

event (MISPEvent) – The MISP event to convert.

Returns:

The resulting Case and Feed.

Return type:

Tuple[Case, ColanderFeed]

convert_object(misp_object)

Convert a MISPObject to its corresponding Colander entity.

This method uses the mapping configuration to extract the entity name and attributes from the MISPObject, then creates and populates a Colander entity instance.

Parameters:

misp_object (MISPObject) – The MISP object to convert.

Returns:

The resulting Colander entity, or None if mapping or name is missing.

Return type:

Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator=’colander_internal_type’)] | None

convert_objects(misp_object)

Return type:

List[Annotated[Actor | Artifact | DataFragment | Observable | DetectionRule | Device | Event | Threat, FieldInfo(annotation=NoneType, required=True, discriminator=’colander_internal_type’)]]

convert_relations(event)

Return type:

List[EntityRelation]

convert_tags(colander_entity, tags)