Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save adulau/1c59b2c1b98598685f7b5a6d5b6b2a77 to your computer and use it in GitHub Desktop.
Save adulau/1c59b2c1b98598685f7b5a6d5b6b2a77 to your computer and use it in GitHub Desktop.
Microsoft threat actory taxonomy to misp format converter
import uuid
from pprint import pprint
import json
import requests
# https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide
# https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/
def main():
URL = "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"
r = requests.get(URL)
r.raise_for_status()
lcluster = []
for entry in r.json():
cluster = {
'value': entry["New name"],
'meta': {
'sector': entry["Origin/Threat"],
'synonyms': [entry["Previous name"]] + entry["Other names"],
'refs': [
'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'
],
},
'uuid': str(uuid.uuid5(uuid.UUID("76beed5f-7251-457e-8c2a-b45f7b589d3d"), f"{entry['New name']}")),
}
lcluster.append(cluster)
x = sorted(lcluster, key=lambda x: x["value"])
print(json.dumps(x))
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment