def generateThreatActor(attribute): ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def generateThreatActor(attribute): ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def generateThreatActor(attribute): ta = ThreatActor() ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def _get_threat_actor_object(value, description=None, crowd_strike_motivations=[]): # 攻撃者情報作成 organisation_name = OrganisationName(value) party_name = PartyName() party_name.add_organisation_name(organisation_name) identity_specification = STIXCIQIdentity3_0() identity_specification.party_name = party_name identity = CIQIdentity3_0Instance() # ThreatActor ta = ThreatActor() ta.identity = identity ta.identity.specification = identity_specification # Title に抽出した Threat Actor 名前 ta.title = value ta.description = description ta.short_description = description ta.identity = identity # motivations 作成 for crowd_strike_motivation in crowd_strike_motivations: ta_motivation = Statement(crowd_strike_motivation['value']) # motivation 追加 ta.add_motivation(ta_motivation) return ta
def test_ta(self): t = ThreatActor() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def test_ta(self): t = ThreatActor() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def main(): # Creamos el indicador con la información de la que disponemos threatActor = ThreatActor() threatActor.title = "Ip/Domain/Hostname" threatActor.description = ("A threatActor commited with malicious tasks") threatActor.information_source = ("Malshare") threatActor.timestamp = ("01/05/2019") threatActor.identity = ("106.113.123.197") threatActor.types = ("eCrime Actor - Spam Service") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Risk Score" indicator.description = ( "An indicator containing the appropriate Risk Score") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 2(Medium)") # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(threatActor) stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def add_external_or_partner_actor_ttem(item, pkg): ta = ThreatActor() ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() country_item = item.get('country') if not country_item: error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item") else: for c in country_item: address = Address() address.country = Country() address.country.add_name_element(c) identity_spec.add_address(address) ta.identity.specification = identity_spec motive_item = item.get('motive') if not motive_item: error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item") else: for m in motive_item: motivation = Statement() motivation.value = map_motive_item_to_motivation(m) ta.add_motivation(motivation) variety_item = item.get('variety') if not variety_item: error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item") else: for v in variety_item: ta_type = Statement() ta_type.value = map_actor_variety_item_to_threat_actor_type(v) ta.add_type(ta_type) notes_item = item.get('notes') if notes_item: ta.description = "Notes: " + escape(notes_item) pkg.add_threat_actor(ta)
def generateThreatActor(attribute): ta = ThreatActor() ta.id_ = "example:threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[ "uuid"] ta.description = attribute["value"] return ta
def generate_threat_actor(attribute): ta = ThreatActor(timestamp=attribute.timestamp) ta.id_ = "{}:threatactor-{}".format(namespace[1], attribute.uuid) ta.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id) description = attribute.value if attribute.comment: description += " ({})".format(attribute.comment) ta.description = description return ta
def to_stix_actor(obj): """ Create a STIX Actor. """ ta = ThreatActor() ta.title = obj.name ta.description = obj.description for tt in obj.threat_types: ta.add_type(tt) for m in obj.motivations: ta.add_motivation(m) for ie in obj.intended_effects: ta.add_intended_effect(ie) for s in obj.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, obj.releasability)
def to_stix_actor(obj): """ Create a STIX Actor. """ ta = ThreatActor() ta.title = obj.name ta.description = obj.description for tt in obj.threat_types: ta.add_type(tt) for m in obj.motivations: ta.add_motivation(m) for ie in obj.intended_effects: ta.add_intended_effect(ie) for s in obj.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, obj.releasability)
def to_stix_actor(self): """ Create a STIX Actor. """ from stix.threat_actor import ThreatActor ta = ThreatActor() ta.title = self.name ta.description = self.description for tt in self.threat_types: ta.add_type(tt) for m in self.motivations: ta.add_motivation(m) for ie in self.intended_effects: ta.add_intended_effect(ie) for s in self.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, self.releasability)
def to_stix_actor(self): """ Create a STIX Actor. """ from stix.threat_actor import ThreatActor ta = ThreatActor() ta.title = self.name ta.description = self.description for tt in self.threat_types: ta.add_type(tt) for m in self.motivations: ta.add_motivation(m) for ie in self.intended_effects: ta.add_intended_effect(ie) for s in self.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, self.releasability)
def add_actor_item(actor_item, pkg): ta = ThreatActor() external_item = actor_item.get('external') if external_item: add_external_or_partner_actor_ttem(external_item, pkg) internal_item = actor_item.get('internal') if internal_item: add_internal_actor_item(internal_item, pkg) # this is a partner of the victim... partner_item = actor_item.get('partner') if partner_item: add_external_or_partner_actor_ttem(partner_item, pkg) unknown_item = actor_item.get('unknown') if unknown_item: notes_item = unknown_item.get('notes') if notes_item: ta = ThreatActor() ta.description = "Notes:" + escape(notes_item) pkg.add_threat_actor(ta)
def buildThreatActor(input_dict): threatActor = ThreatActor() threatActor.title = input_dict["title"] threatActor.description = input_dict["description"] if input_dict["identity"]: threatActor.identity = Identity(input_dict["identity"]) if input_dict["type"]: threatActor.add_type(input_dict["type"]) if input_dict["motivation"]: threatActor.add_motivation(input_dict["motivation"]) if input_dict["sophistication"]: threatActor.add_sophistication(input_dict["sophistication"]) if input_dict["intendedEffect"]: threatActor.add_intended_effect(input_dict["intendedEffect"]) if input_dict["support"]: threatActor.add_planning_and_operational_support(input_dict["support"]) if input_dict["confidence"]: threatActor.confidence = Confidence(input_dict["confidence"]) if input_dict["informationSource"]: threatActor.information_source = InformationSource(input_dict["informationSource"]) return threatActor
def add_internal_actor_item(internal_item, pkg): ta = ThreatActor() motive_item = internal_item.get('motive') if not motive_item: error("Required 'motive' item is missing in 'actor/internal' item") else: for item in motive_item: motivation = Statement() motivation.value = map_motive_item_to_motivation(item) ta.add_motivation(motivation) # job_change added in 1.3 variety_item = internal_item.get('variety') if not variety_item: error("Required 'variety' item is missing in 'actor/internal' item") else: for v in variety_item: ta_type = Statement() ta_type.value = ThreatActorType(ThreatActorType.TERM_INSIDER_THREAT) ta_type.description = v ta.add_type(ta_type) notes_item = internal_item.get('notes') if notes_item: ta.description = "Notes: " + escape(notes_item) pkg.add_threat_actor(ta)
def generateThreatActor(attribute): ta = ThreatActor() ta.id_="example:threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] ta.description = attribute["value"] return ta