def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier("*****@*****.**")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print stix_package.to_xml()
def add_external_or_partner_actor_ttem(item, pkg):
ta = ThreatActor()
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
country_item = item.get('country')
if not country_item:
error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
identity_spec.add_address(address)
ta.identity.specification = identity_spec
motive_item = item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item")
else:
for m in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(m)
ta.add_motivation(motivation)
variety_item = item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = map_actor_variety_item_to_threat_actor_type(v)
ta.add_type(ta_type)
notes_item = item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(
OrganisationName("Disco Team", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(
OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier(
"*****@*****.**")
identity_spec.add_electronic_address_identifier(
"facebook.com/thediscoteam")
identity_spec.add_electronic_address_identifier(
"twitter.com/realdiscoteam")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print(stix_package.to_xml(encoding=None))
def add_victim_item(victim_item, incident):
global targets_item
victim_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
victim_identity.specification = identity_spec
if targets_item:
for item in targets_item:
victim_identity.add_role(item)
country_item = victim_item.get('country')
if not country_item:
error("Required 'country' item is missing in 'victim' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
state_item = victim_item.get('state')
if state_item:
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element(state_item)
identity_spec.add_address(address)
# no organisationInfo details - https://github.com/STIXProject/python-stix/issues/108
if victim_item.get("employee_count"):
warn("'victim/employee_count' item not handled, yet")
if victim_item.get("industry"):
warn("'victim/industry' item not handled, yet")
if victim_item.get("revenue"):
warn("'victim/revenue' item not handled, yet")
victim_id_item = victim_item.get('victim_id')
if victim_id_item:
partyName = PartyName()
# id might be inappropriate for name
partyName.add_name_line(victim_id_item)
identity_spec.party_name = partyName
incident.add_victim(victim_identity)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(
kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)