diff --git a/external-import/crowdstrike/src/crowdstrike_feeds_connector/actor/builder.py b/external-import/crowdstrike/src/crowdstrike_feeds_connector/actor/builder.py index bc5c546b35..7e11b22c86 100644 --- a/external-import/crowdstrike/src/crowdstrike_feeds_connector/actor/builder.py +++ b/external-import/crowdstrike/src/crowdstrike_feeds_connector/actor/builder.py @@ -11,8 +11,6 @@ create_regions_and_countries_from_entities, create_sectors_from_entities, create_targets_relationships, - datetime_utc_epoch_start, - datetime_utc_now, normalize_start_time_and_stop_time, remove_html_tags, timestamp_to_datetime, @@ -62,12 +60,7 @@ def __init__( self.confidence_level = confidence_level first_seen = timestamp_to_datetime(self.actor["first_activity_date"]) - if first_seen is None: - first_seen = datetime_utc_epoch_start() - last_seen = timestamp_to_datetime(self.actor["last_activity_date"]) - if last_seen is None: - last_seen = datetime_utc_now() first_seen, last_seen = normalize_start_time_and_stop_time( first_seen, last_seen @@ -233,8 +226,6 @@ def _create_originates_from_relationships( targets, self.confidence_level, self.object_markings, - start_time=self.first_seen, - stop_time=self.last_seen, ) def build(self) -> Bundle: diff --git a/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py b/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py index 850c96bc97..e425e6e6d0 100644 --- a/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py +++ b/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py @@ -150,8 +150,6 @@ def __init__(self, config: IndicatorBundleBuilderConfig) -> None: self.observation_factory = self._get_observation_factory(self.indicator["type"]) - self.first_seen = timestamp_to_datetime(self.indicator["published_date"]) - @classmethod def _get_observation_factory(cls, indicator_type: str) -> ObservationFactory: factory = cls._INDICATOR_TYPE_TO_OBSERVATION_FACTORY.get(indicator_type) @@ -227,7 +225,6 @@ def _create_uses_relationships( targets, self.confidence_level, self.object_markings, - start_time=self.first_seen, ) def _create_targeted_sectors(self) -> List[Identity]: @@ -246,7 +243,6 @@ def _create_targets_relationships( targets, self.confidence_level, self.object_markings, - start_time=self.first_seen, ) def _create_vulnerability(self, name: str): @@ -383,6 +379,7 @@ def _create_indicator( created_by=self.author, name=indicator_value, valid_from=indicator_published, + created=indicator_published, kill_chain_phases=kill_chain_phases, labels=labels, confidence=self.confidence_level, @@ -411,7 +408,6 @@ def _create_indicates_relationships( targets, self.confidence_level, self.object_markings, - start_time=self.first_seen, ) def _create_report( diff --git a/external-import/crowdstrike/src/crowdstrike_feeds_connector/report/builder.py b/external-import/crowdstrike/src/crowdstrike_feeds_connector/report/builder.py index fb5005cd3f..3fcf893e64 100644 --- a/external-import/crowdstrike/src/crowdstrike_feeds_connector/report/builder.py +++ b/external-import/crowdstrike/src/crowdstrike_feeds_connector/report/builder.py @@ -15,8 +15,6 @@ create_stix2_report_from_report, create_targets_relationships, create_uses_relationships, - datetime_utc_epoch_start, - datetime_utc_now, normalize_start_time_and_stop_time, timestamp_to_datetime, ) @@ -66,12 +64,7 @@ def __init__( # Use report dates for start time and stop time. start_time = timestamp_to_datetime(self.report["created_date"]) - if start_time is None: - start_time = datetime_utc_epoch_start() - - stop_time = timestamp_to_datetime(self.report["last_modified_date"]) - if stop_time is None: - stop_time = datetime_utc_now() + stop_time = None start_time, stop_time = normalize_start_time_and_stop_time( start_time, stop_time diff --git a/external-import/crowdstrike/src/crowdstrike_feeds_connector/rule/yara_master_builder.py b/external-import/crowdstrike/src/crowdstrike_feeds_connector/rule/yara_master_builder.py index cd5c1daefe..98963d6738 100644 --- a/external-import/crowdstrike/src/crowdstrike_feeds_connector/rule/yara_master_builder.py +++ b/external-import/crowdstrike/src/crowdstrike_feeds_connector/rule/yara_master_builder.py @@ -146,7 +146,6 @@ def _create_uses_relationships( targets, self.confidence_level, self.object_markings, - start_time=self.first_seen, ) def _create_indicators(self) -> List[Indicator]: @@ -162,6 +161,7 @@ def _create_yara_indicator(self) -> Indicator: name=rule.name, description=rule.description, valid_from=self.first_seen, + created=self.first_seen, confidence=self.confidence_level, object_markings=self.object_markings, ) @@ -175,7 +175,6 @@ def _create_indicates_relationships( targets, self.confidence_level, self.object_markings, - start_time=self.first_seen, ) def _create_reports(self, objects: List[_DomainObject]) -> List[STIXReport]: diff --git a/external-import/crowdstrike/src/crowdstrike_feeds_services/utils/__init__.py b/external-import/crowdstrike/src/crowdstrike_feeds_services/utils/__init__.py index edd727a17c..29f8d07b16 100644 --- a/external-import/crowdstrike/src/crowdstrike_feeds_services/utils/__init__.py +++ b/external-import/crowdstrike/src/crowdstrike_feeds_services/utils/__init__.py @@ -270,13 +270,13 @@ def normalize_start_time_and_stop_time( STIX 2 Relationship object expects the stop time to be later than the start time or the creation of Relationship object fails. """ - if start_time == stop_time: + if start_time is not None and stop_time is not None and start_time == stop_time: logger.warning("Start time equals stop time, adding 1 second to stop time") stop_time += timedelta(seconds=1) return start_time, stop_time - if start_time > stop_time: + if start_time is not None and stop_time is not None and start_time > stop_time: logger.warning("Start time is greater than stop time, swapping times") start_time, stop_time = stop_time, start_time @@ -686,8 +686,6 @@ def create_indicates_relationships( targets: List[_DomainObject], confidence: int, object_markings: List[stix2.MarkingDefinition], - start_time: Optional[datetime] = None, - stop_time: Optional[datetime] = None, ) -> List[stix2.Relationship]: """Create 'indicates' relationships.""" return create_relationships( @@ -697,8 +695,6 @@ def create_indicates_relationships( targets, confidence, object_markings, - start_time=start_time, - stop_time=stop_time, ) @@ -708,8 +704,6 @@ def create_originates_from_relationships( targets: List[_DomainObject], confidence: int, object_markings: List[stix2.MarkingDefinition], - start_time: Optional[datetime] = None, - stop_time: Optional[datetime] = None, ) -> List[stix2.Relationship]: """Create 'originates-from' relationships.""" return create_relationships( @@ -719,8 +713,6 @@ def create_originates_from_relationships( targets, confidence, object_markings, - start_time=start_time, - stop_time=stop_time, ) @@ -730,8 +722,6 @@ def create_based_on_relationships( targets: List[_DomainObject], confidence: int, object_markings: List[stix2.MarkingDefinition], - start_time: Optional[datetime] = None, - stop_time: Optional[datetime] = None, ) -> List[stix2.Relationship]: """Create 'based-on' relationships.""" return create_relationships( @@ -741,8 +731,6 @@ def create_based_on_relationships( targets, confidence, object_markings, - start_time=start_time, - stop_time=stop_time, ) @@ -974,6 +962,7 @@ def create_indicator( name: Optional[str] = None, description: Optional[str] = None, valid_from: Optional[datetime] = None, + created: Optional[datetime] = None, kill_chain_phases: Optional[List[stix2.KillChainPhase]] = None, labels: Optional[List[str]] = None, confidence: Optional[int] = None, @@ -1001,6 +990,7 @@ def create_indicator( pattern=pattern, pattern_type=pattern_type, valid_from=valid_from, + created=created, kill_chain_phases=kill_chain_phases, labels=labels, confidence=confidence,