[misp-intel] Add TLP marking-definition and report_types mapping to MISP tags #6057
Description
Summary
The misp-intel stream connector currently skips marking-definition objects and does not extract report_types from STIX report containers. Both of these fields have natural mappings to MISP tags and should be preserved during conversion.
Current Behavior
TLP Markings
In stix_to_misp_converter.py → convert_bundle_to_event(), marking-definition objects are explicitly skipped:
if obj_type in [
"report", "grouping", "case-incident", ...
"marking-definition", # ← skipped entirely
"relationship",
]:
continueSTIX bundles from OpenCTI include marking-definition objects with TLP definitions (e.g., marking-definition--f88d31f6-486f-44da-b317-01333bde0b82 for TLP:WHITE). These are dropped during conversion — the resulting MISP event has no TLP tags.
Report Types
In _create_base_event(), only labels are mapped to MISP tags:
for label in container.get("labels", []):
event.add_tag(label)The report_types field from STIX reports (e.g., ["threat-report"], ["attack-pattern"]) is not extracted or mapped. This metadata is lost during conversion.
Expected Behavior
TLP Markings → MISP TLP Tags
marking-definition objects should be parsed and mapped to standard MISP TLP tags:
| STIX Marking Definition | MISP Tag |
|---|---|
marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9 |
tlp:white |
marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da |
tlp:green |
marking-definition--f88d31f6-486f-44da-b317-01333bde0b82 |
tlp:amber |
marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed |
tlp:red |
Additionally, the container's object_marking_refs should be resolved against the bundle's marking-definition objects to apply the correct TLP tags to the MISP event.
MISP natively supports tlp:* taxonomy tags — this is a well-established convention.
Report Types → MISP Tags
report_types from the STIX container should be mapped to MISP tags using the report-type taxonomy:
for report_type in container.get("report_types", []):
event.add_tag(f"report-type:{report_type}")Examples: report-type:threat-report, report-type:attack-pattern, report-type:campaign
Proposed Implementation
1. TLP Mapping (in convert_bundle_to_event)
Before the main processing loop, build a lookup of marking definitions from the bundle:
# Build marking definition lookup
marking_lookup = {}
for stix_obj in stix_bundle.get("objects", []):
if stix_obj.get("type") == "marking-definition":
definition = stix_obj.get("definition", {})
tlp = definition.get("tlp", "")
if tlp:
marking_lookup[stix_obj["id"]] = f"tlp:{tlp}"
# Apply TLP tags from container's object_marking_refs
for marking_ref in container.get("object_marking_refs", []):
tag = marking_lookup.get(marking_ref)
if tag:
misp_event.add_tag(tag)2. Report Types Mapping (in _create_base_event)
After the existing labels loop, add:
# Process report_types as tags
for report_type in container.get("report_types", []):
event.add_tag(f"report-type:{report_type}")Impact
- Low risk — additive change only (new tags on events)
- High value — TLP markings are critical metadata for intelligence sharing workflows
- Both changes are straightforward and isolated to
stix_to_misp_converter.py
Environment
- Connector:
stream/misp-intel - File:
src/misp_intel_connector/stix_to_misp_converter.py