def _get_threat_actor_object(value,
description=None,
crowd_strike_motivations=[]):
# 攻撃者情報作成
organisation_name = OrganisationName(value)
party_name = PartyName()
party_name.add_organisation_name(organisation_name)
identity_specification = STIXCIQIdentity3_0()
identity_specification.party_name = party_name
identity = CIQIdentity3_0Instance()
# ThreatActor
ta = ThreatActor()
ta.identity = identity
ta.identity.specification = identity_specification
# Title に抽出した Threat Actor 名前
ta.title = value
ta.description = description
ta.short_description = description
ta.identity = identity
# motivations 作成
for crowd_strike_motivation in crowd_strike_motivations:
ta_motivation = Statement(crowd_strike_motivation['value'])
# motivation 追加
ta.add_motivation(ta_motivation)
return ta
def resolveIdentityAttribute(incident, attribute, namespace):
ciq_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
if attribute["type"] == 'target-user':
identity_spec.party_name = PartyName(person_names=[attribute["value"]])
elif attribute["type"] == 'target-external':
# we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine
identity_spec.party_name = PartyName(
name_lines=["External target: " + attribute["value"]])
elif attribute["type"] == 'target-org':
identity_spec.party_name = PartyName(
organisation_names=[attribute["value"]])
elif attribute["type"] == 'target-location':
identity_spec.add_address(
Address(FreeTextAddress(address_lines=[attribute["value"]])))
elif attribute["type"] == 'target-email':
identity_spec.add_electronic_address_identifier(
ElectronicAddressIdentifier(value=attribute["value"]))
ciq_identity.specification = identity_spec
ciq_identity.id_ = "example:Identity-" + attribute["uuid"]
# is this a good idea?
ciq_identity.name = attribute["type"] + ": " + attribute[
"value"] + " (MISP Attribute #" + attribute["id"] + ")"
incident.add_victim(ciq_identity)
return incident
def convert_identity(ident20):
if ("sectors" in ident20 or "contact_information" in ident20
or "labels" in ident20 or "identity_class" in ident20
or "description" in ident20):
ident1x = CIQIdentity3_0Instance()
id1x = convert_id20(ident20["id"])
ident1x.id_ = id1x
if ident20["identity_class"] != "organization":
ident1x.name = ident20["name"]
if "labels" in ident20:
ident1x.roles = ident20["labels"]
if ("sectors" in ident20 or "contact_information" in ident20
or "identity_class" in ident20 or "description" in ident20):
ident1x.specification = STIXCIQIdentity3_0()
if ident20["identity_class"] == "organization":
party_name = PartyName()
party_name.add_organisation_name(text_type(ident20["name"]))
ident1x.specification.party_name = party_name
if "sectors" in ident20:
first = True
for s in ident20["sectors"]:
if first:
ident1x.specification.organisation_info = \
OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0]))
first = False
else:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "Identity", "sectors", s)
# Identity in 1.x has no description property, use free-text-lines
if "identity_class" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "identity_class",
ident20["identity_class"])
# Because there is format defined in the specification for this property, it is difficult to
# determine how to convert the information probably found within it to the CIQ fields, so it will be put
# in the free_text_lines
if "contact_information" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "contact_information",
ident20["contact_information"])
if "description" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "description",
ident20["description"])
else:
ident1x = Identity(id_=convert_id20(ident20["id"]),
name=ident20["name"])
if "object_marking_refs" in ident20:
for m_id in ident20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ident1x, ms, descendants=True)
if "granular_markings" in ident20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ident20["id"])
return ident1x
def add_analyst_item(analyst_item, incident):
insrc = InformationSource()
analyst_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
analyst_identity.specification = identity_spec
if analyst_item:
partyName = PartyName()
partyName.add_name_line(analyst_item)
identity_spec.party_name = partyName
insrc.identity = analyst_identity
incident.reporter = insrc
def main():
f = File()
f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now(tzutc()))
indicator.add_object(f)
party_name = PartyName(name_lines=["Foo", "Bar"],
person_names=["John Smith", "Jill Smith"],
organisation_names=["Foo Inc.", "Bar Corp."])
ident_spec = STIXCIQIdentity3_0(party_name=party_name)
ident_spec.add_electronic_address_identifier("*****@*****.**")
ident_spec.add_free_text_line("Demonstrating Free Text!")
ident_spec.add_contact_number("555-555-5555")
ident_spec.add_contact_number("555-555-5556")
identity = CIQIdentity3_0Instance(specification=ident_spec)
indicator.set_producer_identity(identity)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 05"
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
xml = stix_package.to_xml()
print(xml)
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.party_name = PartyName.from_dict(
dict_repr.get('party_name'))
return_obj.languages = [
Language.from_dict(x) for x in dict_repr.get('languages', [])
]
return_obj.addresses = [
Address.from_dict(x) for x in dict_repr.get('addresses', [])
]
return_obj.electronic_address_identifiers = [
ElectronicAddressIdentifier.from_dict(x)
for x in dict_repr.get('electronic_address_identifiers', [])
]
return_obj.free_text_lines = [
FreeTextLine.from_dict(x)
for x in dict_repr.get('free_text_lines', [])
]
return_obj.contact_numbers = [
ContactNumber.from_dict(x)
for x in dict_repr.get('contact_numbers', [])
]
return_obj.organisation_info = OrganisationInfo.from_dict(
dict_repr.get('organisation_info'))
return return_obj
def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(
OrganisationName("Disco Team", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(
OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier(
"*****@*****.**")
identity_spec.add_electronic_address_identifier(
"facebook.com/thediscoteam")
identity_spec.add_electronic_address_identifier(
"twitter.com/realdiscoteam")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print(stix_package.to_xml(encoding=None))
def resolve_identity_attribute(incident, attribute):
attribute_type = attribute.type
ciq_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
if attribute_type == "target-user":
identity_spec.party_name = PartyName(person_names=[attribute.value])
if attribute_type == "target-external":
# we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine
identity_spec.party_name = PartyName(name_lines=["External target: {}".format(attribute.value)])
elif attribute_type == 'target-org':
identity_spec.party_name = PartyName(organisation_names=[attribute.value])
elif attribute_type == 'target-location':
identity_spec.add_address(ciq_Address(FreeTextAddress(address_lines=[attribute.value])))
elif attribute_type == 'target-email':
identity_spec.add_electronic_address_identifier(ElectronicAddressIdentifier(value=attribute.value))
ciq_identity.specification = identity_spec
ciq_identity.id_ = "{}:Identity-{}".format(namespace[1], attribute.uuid)
# is this a good idea?
ciq_identity.name = "{}: {} (MISP Attribute #{})".format(attribute_type, attribute.value, attribute.id)
incident.add_victim(ciq_identity)
def add_victim_item(victim_item, incident):
global targets_item
victim_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
victim_identity.specification = identity_spec
if targets_item:
for item in targets_item:
victim_identity.add_role(item)
country_item = victim_item.get('country')
if not country_item:
error("Required 'country' item is missing in 'victim' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
state_item = victim_item.get('state')
if state_item:
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element(state_item)
identity_spec.add_address(address)
# no organisationInfo details - https://github.com/STIXProject/python-stix/issues/108
if victim_item.get("employee_count"):
warn("'victim/employee_count' item not handled, yet")
if victim_item.get("industry"):
warn("'victim/industry' item not handled, yet")
if victim_item.get("revenue"):
warn("'victim/revenue' item not handled, yet")
victim_id_item = victim_item.get('victim_id')
if victim_id_item:
partyName = PartyName()
# id might be inappropriate for name
partyName.add_name_line(victim_id_item)
identity_spec.party_name = partyName
incident.add_victim(victim_identity)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(
kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
InformationType('Information Assets - User Credentials'))
identity = CIQIdentity3_0Instance()
# identity.name = 'Bob Ricca'
identity_spec = STIXCIQIdentity3_0()
identity_spec.add_address(Address(country='Germany'))
identity_spec.add_address(Address(country='United States'))
identity_spec.add_language('German')
identity_spec.add_language('English')
identity_spec.add_nationality('American')
identity_spec.add_contact_number('727-867-5309')
identity_spec.add_electronic_address_identifier('bricca')
identity_spec.add_electronic_address_identifier(
ElectronicAddressIdentifier(value='*****@*****.**', type_='Email'))
party_name = PartyName()
party_name.add_person_name('Bob Ricca')
party_name.add_person_name('Robert Ricca')
party_name.add_organisation_name('ThreatQuotient')
identity_spec.party_name = party_name
organization = OrganisationInfo(industry_type='Cybersecurity')
identity_spec.organisation_info = organization
identity.specification = identity_spec
victim_targeting.identity = identity
domain2 = DomainName()
domain2.value = 'www.bobricca.com'
observable2 = Observable(domain2)
victim_targeting.targeted_technical_details = Observables(
Observable(idref=observable2.id_))
ttp2.victim_targeting = victim_targeting
