def main():
    stix_package = STIXPackage()
    ta = ThreatActor()
    ta.title = "Disco Team Threat Actor Group"
    
    ta.identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    
    identity_spec.party_name = PartyName()
    identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse"))
    identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
    
    identity_spec.add_language("Spanish")
    
    address = Address()
    address.country = Country()
    address.country.add_name_element("United States")
    address.administrative_area = AdministrativeArea()
    address.administrative_area.add_name_element("California")    
    identity_spec.add_address(address)
    
    identity_spec.add_electronic_address_identifier("*****@*****.**")
    
    ta.identity.specification = identity_spec
    stix_package.add_threat_actor(ta)
    print stix_package.to_xml()
Beispiel #2
0
def add_external_or_partner_actor_ttem(item, pkg):
    ta = ThreatActor()
    ta.identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    country_item = item.get('country')
    if not country_item:
        error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item")
    else:  
        for c in country_item:
            address = Address()
            address.country = Country()
            address.country.add_name_element(c)
            identity_spec.add_address(address)
        ta.identity.specification = identity_spec
    motive_item = item.get('motive')
    if not motive_item:
        error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item")
    else:
        for m in motive_item:
            motivation = Statement()
            motivation.value = map_motive_item_to_motivation(m)
            ta.add_motivation(motivation)
    variety_item = item.get('variety')        
    if not variety_item:
        error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item")
    else:
        for v in variety_item:
            ta_type = Statement()
            ta_type.value = map_actor_variety_item_to_threat_actor_type(v)
            ta.add_type(ta_type)
    notes_item = item.get('notes')
    if notes_item:
        ta.description = "Notes: " + escape(notes_item)
    pkg.add_threat_actor(ta)
Beispiel #3
0
def main():
    stix_package = STIXPackage()
    ta = ThreatActor()
    ta.title = "Disco Team Threat Actor Group"

    ta.identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()

    identity_spec.party_name = PartyName()
    identity_spec.party_name.add_organisation_name(
        OrganisationName("Disco Team", type_="CommonUse"))
    identity_spec.party_name.add_organisation_name(
        OrganisationName("Equipo del Discoteca", type_="UnofficialName"))

    identity_spec.add_language("Spanish")

    address = Address()
    address.country = Country()
    address.country.add_name_element("United States")
    address.administrative_area = AdministrativeArea()
    address.administrative_area.add_name_element("California")
    identity_spec.add_address(address)

    identity_spec.add_electronic_address_identifier(
        "*****@*****.**")
    identity_spec.add_electronic_address_identifier(
        "facebook.com/thediscoteam")
    identity_spec.add_electronic_address_identifier(
        "twitter.com/realdiscoteam")

    ta.identity.specification = identity_spec
    stix_package.add_threat_actor(ta)
    print(stix_package.to_xml(encoding=None))
Beispiel #4
0
def add_victim_item(victim_item, incident):
    global targets_item
    victim_identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    victim_identity.specification = identity_spec
    if targets_item:
        for item in targets_item:
            victim_identity.add_role(item)
    country_item = victim_item.get('country')
    if not country_item:
        error("Required 'country' item is missing in 'victim' item")
    else:  
        for c in country_item:
            address = Address()
            address.country = Country()
            address.country.add_name_element(c)
            state_item = victim_item.get('state')
            if state_item:
                address.administrative_area = AdministrativeArea()
                address.administrative_area.add_name_element(state_item)
            identity_spec.add_address(address)
    # no organisationInfo details - https://github.com/STIXProject/python-stix/issues/108 
    if victim_item.get("employee_count"):
        warn("'victim/employee_count' item not handled, yet")
    if victim_item.get("industry"):
        warn("'victim/industry' item not handled, yet")
    if victim_item.get("revenue"):
        warn("'victim/revenue' item not handled, yet")
    victim_id_item = victim_item.get('victim_id')
    if victim_id_item:
        partyName = PartyName()
        # id might be inappropriate for name
        partyName.add_name_line(victim_id_item)
        identity_spec.party_name = partyName
        
    incident.add_victim(victim_identity)
Beispiel #5
0
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
    """
    This utility functions aids in the creation of an AIS marking and appends
    it to the provided STIX package.

    Args:
        stix_package: A stix.core.STIXPackage object.
        proprietary: True if marking uses IsProprietary, False for
            NotProprietary.
        consent: A string with one of the following values: "EVERYONE", "NONE"
            or "USG".
        color: A string that corresponds to TLP values: "WHITE", "GREEN" or
            "AMBER".
        **kwargs: Six required keyword arguments that are used to create a CIQ
            identity object. These are: country_name_code,
            country_name_code_type, admin_area_name_code,
            admin_area_name_code_type, organisation_name, industry_type.

    Raises:
        ValueError: When keyword arguments are missing. User did not supply
            correct values for: proprietary, color and consent.

    Note:
        The following line is required to register the AIS extension::

            >>> import stix.extensions.marking.ais

        Any Markings under STIX Header will be removed. Please follow the
        guidelines for `AIS`_.

        The industry_type keyword argument accepts: a list of string based on
        defined sectors, a pipe-delimited string of sectors, or a single
        sector.

    .. _AIS:
        https://www.us-cert.gov/ais

    """
    from stix.common import InformationSource
    from stix.extensions.identity.ciq_identity_3_0 import (
        CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
        Country, NameElement, OrganisationInfo, AdministrativeArea)
    from stix.core.stix_header import STIXHeader
    from stix.data_marking import MarkingSpecification, Marking

    args = ('country_name_code', 'country_name_code_type', 'industry_type',
            'admin_area_name_code', 'admin_area_name_code_type',
            'organisation_name')

    diff = set(args) - set(kwargs.keys())

    if diff:
        msg = 'All keyword arguments must be provided. Missing: {0}'
        raise ValueError(msg.format(tuple(diff)))

    party_name = PartyName()
    party_name.add_organisation_name(kwargs['organisation_name'])

    country = Country()
    country_name = NameElement()
    country_name.name_code = kwargs['country_name_code']
    country_name.name_code_type = kwargs['country_name_code_type']
    country.add_name_element(country_name)

    admin_area = AdministrativeArea()
    admin_area_name = NameElement()
    admin_area_name.name_code = kwargs['admin_area_name_code']
    admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
    admin_area.add_name_element(admin_area_name)

    address = Address()
    address.country = country
    address.administrative_area = admin_area

    org_info = OrganisationInfo()
    org_info.industry_type = _validate_and_create_industry_type(
        kwargs['industry_type'])

    id_spec = STIXCIQIdentity3_0()
    id_spec.party_name = party_name
    id_spec.add_address(address)
    id_spec.organisation_info = org_info

    identity = CIQIdentity3_0Instance()
    identity.specification = id_spec

    if proprietary is True:
        proprietary_obj = IsProprietary()
        consent = 'EVERYONE'
    elif proprietary is False:
        proprietary_obj = NotProprietary()
    else:
        raise ValueError('proprietary expected True or False.')

    proprietary_obj.ais_consent = AISConsentType(consent=consent)
    proprietary_obj.tlp_marking = TLPMarkingType(color=color)

    ais_marking = AISMarkingStructure()

    if isinstance(proprietary_obj, IsProprietary):
        ais_marking.is_proprietary = proprietary_obj
    else:
        ais_marking.not_proprietary = proprietary_obj

    marking_spec = MarkingSpecification()
    marking_spec.controlled_structure = '//node() | //@*'
    marking_spec.marking_structures.append(ais_marking)
    marking_spec.information_source = InformationSource()
    marking_spec.information_source.identity = identity

    if not stix_package.stix_header:
        stix_package.stix_header = STIXHeader()

    # Removes any other Markings if present.
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking_spec)
Beispiel #6
0
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
    """
    This utility functions aids in the creation of an AIS marking and appends
    it to the provided STIX package.

    Args:
        stix_package: A stix.core.STIXPackage object.
        proprietary: True if marking uses IsProprietary, False for
            NotProprietary.
        consent: A string with one of the following values: "EVERYONE", "NONE"
            or "USG".
        color: A string that corresponds to TLP values: "WHITE", "GREEN" or
            "AMBER".
        **kwargs: Six required keyword arguments that are used to create a CIQ
            identity object. These are: country_name_code,
            country_name_code_type, admin_area_name_code,
            admin_area_name_code_type, organisation_name, industry_type.

    Raises:
        ValueError: When keyword arguments are missing. User did not supply
            correct values for: proprietary, color and consent.

    Note:
        The following line is required to register the AIS extension::

            >>> import stix.extensions.marking.ais

        Any Markings under STIX Header will be removed. Please follow the
        guidelines for `AIS`_.

        The industry_type keyword argument accepts: a list of string based on
        defined sectors, a pipe-delimited string of sectors, or a single
        sector.

    .. _AIS:
        https://www.us-cert.gov/ais

    """
    from stix.common import InformationSource
    from stix.extensions.identity.ciq_identity_3_0 import (
        CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
        Country, NameElement, OrganisationInfo, AdministrativeArea)
    from stix.core.stix_header import STIXHeader
    from stix.data_marking import MarkingSpecification, Marking

    args = ('country_name_code', 'country_name_code_type', 'industry_type',
            'admin_area_name_code', 'admin_area_name_code_type',
            'organisation_name')

    diff = set(args) - set(kwargs.keys())

    if diff:
        msg = 'All keyword arguments must be provided. Missing: {0}'
        raise ValueError(msg.format(tuple(diff)))

    party_name = PartyName()
    party_name.add_organisation_name(kwargs['organisation_name'])

    country = Country()
    country_name = NameElement()
    country_name.name_code = kwargs['country_name_code']
    country_name.name_code_type = kwargs['country_name_code_type']
    country.add_name_element(country_name)

    admin_area = AdministrativeArea()
    admin_area_name = NameElement()
    admin_area_name.name_code = kwargs['admin_area_name_code']
    admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
    admin_area.add_name_element(admin_area_name)

    address = Address()
    address.country = country
    address.administrative_area = admin_area

    org_info = OrganisationInfo()
    org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type'])

    id_spec = STIXCIQIdentity3_0()
    id_spec.party_name = party_name
    id_spec.add_address(address)
    id_spec.organisation_info = org_info

    identity = CIQIdentity3_0Instance()
    identity.specification = id_spec

    if proprietary is True:
        proprietary_obj = IsProprietary()
        consent = 'EVERYONE'
    elif proprietary is False:
        proprietary_obj = NotProprietary()
    else:
        raise ValueError('proprietary expected True or False.')

    proprietary_obj.ais_consent = AISConsentType(consent=consent)
    proprietary_obj.tlp_marking = TLPMarkingType(color=color)

    ais_marking = AISMarkingStructure()

    if isinstance(proprietary_obj, IsProprietary):
        ais_marking.is_proprietary = proprietary_obj
    else:
        ais_marking.not_proprietary = proprietary_obj

    marking_spec = MarkingSpecification()
    marking_spec.controlled_structure = '//node() | //@*'
    marking_spec.marking_structures.append(ais_marking)
    marking_spec.information_source = InformationSource()
    marking_spec.information_source.identity = identity

    if not stix_package.stix_header:
        stix_package.stix_header = STIXHeader()

    # Removes any other Markings if present.
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking_spec)