def transfer(lisa_file, save_directory): content = get_content(lisa_file) if 'error' in content.keys(): return "empty" malware = create_malware(content) indicator_list = create_indicator(content) relation_list = create_relationship(indicator_list, malware) observed_data_list = create_observed_data(content) malware_analysis_list = create_malware_analysis(content) md5 = content['md5'] bundle_list = [] bundle_list.append(malware) for indicator in indicator_list: bundle_list.append(indicator) for relation in relation_list: bundle_list.append(relation) for ob in observed_data_list: bundle_list.append(ob) for ob in malware_analysis_list: bundle_list.append(ob) bundle = Bundle(bundle_list) bundle_str = bundle.serialize() stix_file = os.path.join(save_directory, md5 + '.json') with open(stix_file, "wb") as save: save.write(bundle_str.encode()) return md5 + '.json'
def main(users_file=USERS_FILE): # Authentication reddit = praw.Reddit(**credentials) # Load list of accounts subreddits = get_accounts(users_file)['user_to_follow'] observed_data_list = [] # CSV output file local_filename = "output_" + now.strftime("%Y%m%d_%H%M") + ".csv" with open(local_filename, mode='w') as csv_file: writer = csv.DictWriter(csv_file, fieldnames=FIELDS) writer.writeheader() for subreddit in subreddits: print(subreddit) # We cannot get all posts, so we just get the most recent ones for result in reddit.subreddit(subreddit).new(limit=POST_LIMIT): if date_comparison(result): post_date = datetime.fromtimestamp(result.created_utc) writer.writerow({'subreddit': result.subreddit, # Subreddit Name 'username': result.fullname, # Username (user ID) 'date': post_date, 'title': result.title, # Post title 'text': result.selftext, # Post text (may be empty) 'json': reddit.request("GET", result.permalink) # Complete Post Json }) args = { 'source': 'reddit', 'title': result.title, 'text': result.selftext, 'subject': result.subreddit, } observed_user = UserAccount(type='user-account', user_id=result.fullname) observed_object = CSAwareSocial(**args, allow_custom=True) objects = {"0": observed_user, "1": observed_object} observed_data = ObservedData(first_observed=post_date, last_observed=post_date, number_observed=1, objects=objects, allow_custom=True) observed_data_list.append(observed_data) # STIX Conversion bundle = Bundle(observed_data_list) stix_filename = local_filename.replace('.csv', '.json') stix_output = open(stix_filename, 'w') stix_output.write(bundle.serialize(indent=4)) stix_output.close() # Upload to AWS to_aws(local_filename) to_aws(stix_filename)
def get_bundle_json(self, target_group): objects = self.find_groups(target_group) for obj in objects: self.find_relationships(obj) bundle = Bundle(self.searched_objs) if not os.path.isfile( './bundles/{0}-bundle.json'.format(target_group)): with open('./bundles/{0}-bundle.json'.format(target_group), 'w') as f: f.write(bundle.serialize()) return bundle
def run(self, results): self.init() log.debug("start stix reporter") syscalls = open(self.analysis_path + "/logs/all.stap", "r").read() self.CWD = self.find_execution_dir_of_build_script(syscalls) log.debug("found execution dir") self.parse_syscalls_to_stix(syscalls) log.debug("parsed syscalls to stix objects") stix_malware_analysis = MalwareAnalysis( type="malware-analysis", id="malware-analysis--" + str(uuid1()), product="cuckoo-sandbox", analysis_sco_refs=self.all_stix_objects, ) self.all_stix_objects.append(stix_malware_analysis) self.add_stix_groupings() log.debug("created stix groupings") stix_bundle = Bundle( type="bundle", id="bundle--" + str(uuid1()), objects=self.all_stix_objects, allow_custom=True, ) log.debug("writing report to disk and serializing it") self.write_report(stix_bundle)
def _process_hash(self, observable): hash_value = observable["observable_value"] artifact_id = None bundle_objects = [] try: # Attempt to download the file using the private V3 API method request_url = ( f"https://www.virustotal.com/api/v3/files/{hash_value}/download" ) req = urllib.request.Request(request_url, headers=self.headers) response = urllib.request.urlopen(req) file_contents = response.read() assert file_contents is not None # Get the mime type for the file mime_type = magic.from_buffer(file_contents, mime=True) # Upload the file as an Artifact kwargs = { "file_name": hash_value, "data": file_contents, "mime_type": mime_type, "x_opencti_description": f"Downloaded from Virustotal using hash {hash_value}", } response = self.helper.api.stix_cyber_observable.upload_artifact( **kwargs) self.helper.log_info(response) artifact_id = response["standard_id"] except Exception as e: raise Exception( f"Failed to download/upload Artifact with hash {hash_value}, exception: {e}" ) # Create a relationship between the StixFile and the new Artifact relationship = Relationship( id=OpenCTIStix2Utils.generate_random_stix_id("relationship"), relationship_type="related-to", created_by_ref=self.identity, source_ref=observable["standard_id"], target_ref=artifact_id, allow_custom=True, ) bundle_objects.append(relationship) if bundle_objects: bundle = Bundle(objects=bundle_objects, allow_custom=True).serialize() bundles_sent = self.helper.send_stix2_bundle(bundle) return f"Sent {len(bundles_sent)} stix bundle(s) for worker import" else: return "Nothing to attach"
def _generate_stix_bundle(self, country, city, observable_id): # Generate stix bundle country_identity = Identity( name=country.name, identity_class='group', custom_properties={ 'x_opencti_identity_type': 'country', 'x_opencti_alias': [country.official_name], } ) city_identity = Identity( name=city, identity_class='group', custom_properties={ 'x_opencti_identity_type': 'city' } ) city_to_country = Relationship( relationship_type='localization', source_ref=city_identity.id, target_ref=country_identity.id, ) observable_to_city = Relationship( relationship_type='localization', source_ref=observable_id, target_ref=city_identity.id, custom_properties={ 'x_opencti_weight': self.helper.connect_confidence_level } ) return Bundle(objects=[country_identity, city_identity, city_to_country, observable_to_city]).serialize()
def _process_message(self, data: Dict) -> str: file_fetch = data["file_fetch"] file_uri = self.helper.opencti_url + file_fetch self.helper.log_info(f"Importing the file {file_uri}") file_content = self.helper.api.fetch_opencti_file(file_uri) if data["file_mime"] == "text/xml": self.helper.log_debug("Stix1 file. Attempting conversion") initialize_options() file_content = elevate(file_content) entity_id = data.get("entity_id", None) if entity_id: self.helper.log_debug("Contextual import.") bundle = parse(file_content)["objects"] if self._contains_report(bundle): self.helper.log_debug("Bundle contains report.") else: self.helper.log_debug("No Report in Stix file. Updating current report") bundle = self._update_report(bundle, entity_id) file_content = Bundle(objects=bundle).serialize() bundles_sent = self.helper.send_stix2_bundle(file_content) return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"
def _process_message(self, data: Dict) -> str: file_fetch = data["file_fetch"] file_uri = self.helper.opencti_url + file_fetch # Downloading and saving file to connector self.helper.log_info("Importing the file " + file_uri) observable = SimpleObservable( id=OpenCTIStix2Utils.generate_random_stix_id( "x-opencti-simple-observable"), key=self.data["simple_observable_key"], value=self.data["simple_observable_value"], ) bundle_objects = [observable] entity_id = data.get("entity_id", None) report = self.helper.api.report.read(id=entity_id) report = Report( id=report["standard_id"], name=report["name"], description=report["description"], published=self.helper.api.stix2.format_date(report["published"]), report_types=report["report_types"], object_refs=bundle_objects, ) bundle_objects.append(report) # create stix bundle bundle = Bundle(objects=bundle_objects).serialize() # send data self.helper.send_stix2_bundle(bundle=bundle) return "foo"
def _process_parsed_objects(self, report: Dict, observables: List, entities: List) -> int: if len(observables) == 0 and len(entities) == 0: return 0 report = Report( id=report["standard_id"], name=report["name"], description=report["description"], published=self.helper.api.stix2.format_date(report["created"]), report_types=report["report_types"], object_refs=observables + entities, ) observables.append(report) bundles_sent = [] if len(observables) > 0: bundle = Bundle(objects=observables).serialize() bundles_sent = self.helper.send_stix2_bundle( bundle=bundle, update=True, ) # len() - 1 because the report update increases the count by one return len(bundles_sent) - 1
def run(self): now = datetime.utcfromtimestamp(time.time()) now_time = now.strftime("%Y-%m-%d %H:%M:%S") friendly_name = f"{self.helper.connect_name} run @ {now_time}" work_id = self.helper.api.work.initiate_work(self.helper.connect_id, friendly_name) bundle_objects = [] for elem in self.data: sdo = elem["class"]( id=elem["id"], name=elem["name"], description=elem["description"], ) bundle_objects.append(sdo) # create stix bundle bundle = Bundle(objects=bundle_objects).serialize() # send data self.helper.send_stix2_bundle( bundle=bundle, entities_types=self.helper.connect_scope, update=True, work_id=work_id, ) message = "Connector successfully run, storing last_run as " + str( now_time) self.helper.api.work.to_processed(work_id, message) return "Foo"
def make_cti_file(self, stix_objects, bundle_name): for object in stix_objects: self.write_amitt_cti_dir(object.type) # Write the bundle to the amitt-attack directory. self.write_amitt_file(f"amitt-attack/{object.type}/{object.id}.json", Bundle(object)) self.write_amitt_file(f"amitt-attack/{bundle_name}.json", self.stix_bundle())
def convert(filename, output='output.json'): count = 0 with open(filename) as json_file: vList = [] data = json.load(json_file) print("Loaded the file") for cves in data['CVE_Items']: count += 1 # Getting the different fields name = cves['cve']['CVE_data_meta']['ID'] description = cves['cve']['description']['description_data'][0]["value"] cdate = cves['publishedDate'] mdate = cves['lastModifiedDate'] creator = cves['cve']['CVE_data_meta']['ASSIGNER'] # Creating the vulnerability with the extracted fields vuln = Vulnerability(name=name, created=cdate, modified=mdate, description=description) # Adding the vulnerability to the list of vulnerabilities vList.append(vuln) # Creating the bundle from the list of vulnerabilities bundle = Bundle(vList) # Creating a MemoryStore object from the bundle memorystore = MemoryStore(bundle) # Dumping this object to a file memorystore.save_to_file(output) print("Successfully converted " + str(count) + " vulnerabilities")
def _process_message(self, data): file_fetch = data["file_fetch"] file_uri = self.helper.opencti_url + file_fetch file_name = os.path.basename(file_fetch) entity_id = data["entity_id"] # Get context is_context = entity_id is not None and len(entity_id) > 0 if self.helper.get_only_contextual() and not is_context: raise ValueError( "No context defined, connector is get_only_contextual true" ) self.helper.log_info("Importing the file " + file_uri) # Get the file file_content = self.helper.api.fetch_opencti_file(file_uri, True) # Write the file f = open(file_name, "wb") f.write(file_content) f.close() # Parse bundle_objects = [] i = 0 parser = iocp.IOC_Parser(None, "pdf", True, "pdfminer", "json") parsed = parser.parse(file_name) os.remove(file_name) if parsed != []: for file in parsed: if file != None: for page in file: if page != []: for match in page: resolved_match = self.resolve_match(match) if resolved_match: observable = SimpleObservable( id=OpenCTIStix2Utils.generate_random_stix_id( "x-opencti-simple-observable" ), key=resolved_match["type"], value=resolved_match["value"], x_opencti_create_indicator=self.create_indicator, ) bundle_objects.append(observable) i += 1 else: self.helper.log_error("Could not parse the report!") if is_context: entity = self.helper.api.stix_domain_object.read(id=entity_id) if entity is not None: if entity["entity_type"] == "Report" and len(bundle_objects) > 0: report = Report( id=entity["standard_id"], name=entity["name"], description=entity["description"], published=self.helper.api.stix2.format_date(entity["created"]), report_types=entity["report_types"], object_refs=bundle_objects, ) bundle_objects.append(report) bundle = Bundle(objects=bundle_objects).serialize() bundles_sent = self.helper.send_stix2_bundle(bundle) return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"
def build(self) -> Optional[Bundle]: """Build Kaspersky YARA rule bundle.""" # Prepare STIX2 bundle objects with author. bundle_objects = [self.author] # Add object marking definitions to bundle. bundle_objects.extend(self.object_markings) # Create indicators and add to bundle. indicators = self._create_indicators() if not indicators: log.warning("No indicators for %s", self.yara_rule.name) return None bundle_objects.extend(indicators) # Create object references for the report. objects = create_object_refs(indicators) # Create report and add to bundle. report = self._create_report(objects) if report is not None: bundle_objects.append(report) # XXX: Without allow_custom=True the observable with the custom property # will cause an unexpected property (x_opencti_score) error. return Bundle(objects=bundle_objects, allow_custom=True)
def run(self, work_id: str, state: Mapping[str, Any]) -> Mapping[str, Any]: """Run the importation of the article.""" self.work_id = work_id created = parser.parse(self.article["createdDate"]) # RisIQ API does not always provide the `publishedDate`. # If it does not exist, take the value of the `createdDate` instead. published = ( parser.parse(self.article["publishedDate"]) if self.article["publishedDate"] is not None else created ) indicators = itertools.chain( *[ self._process_indicator(indicator) for indicator in self.article["indicators"] ] ) indicators = utils.deduplicate(list(indicators)) # Return the initial state if we don't have any indicators. if not indicators: self.helper.log_info("No indicator in article, report will not be created.") return state self.helper.log_debug(f"Number of indicators: {len(indicators)}") # Check if all indicators' TLP marking are `TLP_WHITE`. report_tlp = TLP_WHITE if TLP_AMBER in [i["object_marking_refs"][0] for i in indicators]: report_tlp = TLP_AMBER report = Report( type="report", name=self.article.get("title", "RiskIQ Threat Report"), description=self.article["summary"], report_types=["threat-report"], created_by_ref=self.author, created=created, published=published, lang="en", labels=self.article["tags"], object_refs=indicators, object_marking_refs=report_tlp, external_references=[ { "source_name": "riskiq", "url": self.article["link"], "external_id": self.article["guid"], } ], allow_custom=True, ) self.helper.log_debug(f"[RiskIQ] Report = {report}") bundle = Bundle(objects=indicators + [report, self.author], allow_custom=True) self.helper.log_info("[RiskIQ] Sending report STIX2 bundle") self._send_bundle(bundle) return self._create_state(created)
def _send_bundle(self, bundle: Bundle) -> None: serialized_bundle = bundle.serialize() self.helper.send_stix2_bundle( serialized_bundle, work_id=self.work_id, update=self.update_existing_data, bypass_split=True, )
def build(self) -> Bundle: """Build actor bundle.""" # Create bundle with author. bundle_objects = [self.author] # Add object marking definitions to bundle. bundle_objects.extend(self.object_markings) # Create intrusion sets and add to bundle. intrusion_sets = self._create_intrusion_sets() bundle_objects.extend(intrusion_sets) # Create origin regions and countries and add to bundle. origin_regions, origin_countries = self._create_origin_regions_and_countries() bundle_objects.extend(origin_regions) bundle_objects.extend(origin_countries) # Intrusion sets originate from regions and add to bundle. intrusion_sets_originate_from_regions = ( self._create_originates_from_relationships(intrusion_sets, origin_regions) ) bundle_objects.extend(intrusion_sets_originate_from_regions) # Intrusion sets originate from countries and add to bundle. intrusion_sets_originate_from_countries = ( self._create_originates_from_relationships(intrusion_sets, origin_countries) ) bundle_objects.extend(intrusion_sets_originate_from_countries) # Create target regions and countries and add to bundle. target_regions, target_countries = self._create_targeted_regions_and_countries() bundle_objects.extend(target_regions) bundle_objects.extend(target_countries) # Intrusion sets target regions and add to bundle. intrusion_sets_target_regions = self._create_targets_relationships( intrusion_sets, target_regions ) bundle_objects.extend(intrusion_sets_target_regions) # Intrusion sets target countries and add to bundle. intrusion_sets_target_countries = self._create_targets_relationships( intrusion_sets, target_countries ) bundle_objects.extend(intrusion_sets_target_countries) # Create target sectors and add to bundle. target_sectors = self._create_targeted_sectors() bundle_objects.extend(target_sectors) # Intrusion sets target sectors, add to bundle. intrusion_sets_target_sectors = self._create_targets_relationships( intrusion_sets, target_sectors ) bundle_objects.extend(intrusion_sets_target_sectors) return Bundle(objects=bundle_objects)
def _process_hash(self, observable): hash_value = observable["observable_value"] artifact_id = None bundle_objects = [] try: # Attempt to source the file contents from the hash bytes_obj = io.BytesIO() response = self.api_client.download_file(hash_value, bytes_obj) bytes_obj.seek(0) file_contents = bytes_obj.read() mime_type = magic.from_buffer(file_contents, mime=True) # Upload the file as an Artifact kwargs = { "file_name": hash_value, "data": file_contents, "mime_type": mime_type, "x_opencti_description": f"Downloaded from Virustotal via hash {hash_value}", } response = self.helper.api.stix_cyber_observable.upload_artifact( **kwargs) self.helper.log_info(response) artifact_id = response["standard_id"] except Exception as e: raise Exception( f"Failed to download/upload Artifact with hash {hash_value}, exception: {e}" ) # Create a relationship between the StixFile and the new Artifact relationship = Relationship( id=OpenCTIStix2Utils.generate_random_stix_id("relationship"), relationship_type="related-to", created_by_ref=self.identity, source_ref=observable["standard_id"], target_ref=artifact_id, allow_custom=True, ) bundle_objects.append(relationship) if bundle_objects: bundle = Bundle(objects=bundle_objects, allow_custom=True).serialize() bundles_sent = self.helper.send_stix2_bundle(bundle) return f"Sent {len(bundles_sent)} stix bundle(s) for worker import" else: return "Nothing to attach"
def test_filesystem_object_with_custom_property_in_bundle(fs_store): camp = Campaign(name="Scipio Africanus", objective="Defeat the Carthaginians", x_empire="Roman", allow_custom=True) bundle = Bundle(camp, allow_custom=True) fs_store.add(bundle, allow_custom=True) camp_r = fs_store.get(camp.id, allow_custom=True) assert camp_r.id == camp.id assert camp_r.x_empire == camp.x_empire
def _process_parsed_objects( self, entity: Dict, observables: List, entities: List, bypass_validation: bool, file_name: str, ) -> int: if len(observables) == 0 and len(entities) == 0: return 0 if entity is not None and entity["entity_type"] == "Report": report = Report( id=entity["standard_id"], name=entity["name"], description=entity["description"], published=self.helper.api.stix2.format_date(entity["created"]), report_types=entity["report_types"], object_refs=observables + entities, allow_custom=True, ) observables.append(report) elif entity is not None: # TODO, relate all object to the entity entity_stix_bundle = self.helper.api.stix2.export_entity( entity["entity_type"], entity["id"]) observables = observables + entity_stix_bundle["objects"] else: timestamp = int(time.time()) now = datetime.utcfromtimestamp(timestamp) report = Report( name=file_name, description="Automatic import", published=now, report_types=["threat-report"], object_refs=observables + entities, allow_custom=True, ) observables.append(report) bundles_sent = [] if len(observables) > 0: bundle = Bundle(objects=observables, allow_custom=True).serialize() bundles_sent = self.helper.send_stix2_bundle( bundle=bundle, update=True, bypass_validation=bypass_validation, file_name=file_name + ".json", entity_id=entity["id"] if entity is not None else None, ) # len() - 1 because the report update increases the count by one return len(bundles_sent) - 1
def test_memory_store_object_with_custom_property_in_bundle(mem_store): camp = Campaign(name="Scipio Africanus", objective="Defeat the Carthaginians", x_empire="Roman", allow_custom=True) bundle = Bundle(camp, allow_custom=True) mem_store.add(bundle, True) bundle_r = mem_store.get(bundle.id) camp_r = bundle_r['objects'][0] assert camp_r.id == camp.id assert camp_r.x_empire == camp.x_empire
def test_add_stix2_bundle_object(collection): tc_sink = TAXIICollectionSink(collection) # create new STIX threat-actor ta = ThreatActor(name="Teddy Bear", labels=["nation-state"], sophistication="innovator", resource_level="government", goals=[ "compromising environment NGOs", "water-hole attacks geared towards energy sector", ]) tc_sink.add(Bundle(objects=[ta]))
def get_objects(self, **filter_kwargs): self._verify_can_read() query_params = _filter_kwargs_to_query_params(filter_kwargs) if not isinstance(query_params, dict): query_params = json.loads(query_params) full_filter = BasicFilter(query_params or {}) objs = full_filter.process_filter(self.objects, ("id", "type", "version"), []) if objs: return Bundle(objects=objs) else: resp = Response() resp.status_code = 404 resp.raise_for_status()
def get_object(self, id, version=None): self._verify_can_read() query_params = None if version: query_params = _filter_kwargs_to_query_params({"version": version}) if query_params: query_params = json.loads(query_params) full_filter = BasicFilter(query_params or {}) objs = full_filter.process_filter(self.objects, ("version", ), []) if objs: return Bundle(objects=objs) else: resp = Response() resp.status_code = 404 resp.raise_for_status()
def convert(filename, output='output.json'): # Create the default author author = Identity(name='The MITRE Corporation', identity_class='organization') count = 0 with open(filename) as json_file: vulnerabilities_bundle = [author] data = json.load(json_file) print("Loaded the file") for cves in data['CVE_Items']: count += 1 # Get the name name = cves['cve']['CVE_data_meta']['ID'] # Create external references external_reference = ExternalReference( source_name='NIST NVD', url='https://nvd.nist.gov/vuln/detail/' + name) external_references = [external_reference] for reference in cves['cve']['references']['reference_data']: external_reference = ExternalReference( source_name=reference['refsource'], url=reference['url']) external_references.append(external_reference) # Getting the different fields description = cves['cve']['description']['description_data'][0][ "value"] cdate = cves['publishedDate'] mdate = cves['lastModifiedDate'] # Creating the vulnerability with the extracted fields vuln = Vulnerability(name=name, created=cdate, modified=mdate, description=description, created_by_ref=author, external_references=external_references) # Adding the vulnerability to the list of vulnerabilities vulnerabilities_bundle.append(vuln) # Creating the bundle from the list of vulnerabilities bundle = Bundle(vulnerabilities_bundle) # Creating a MemoryStore object from the bundle memorystore = MemoryStore(bundle) # Dumping this object to a file memorystore.save_to_file(output) print("Successfully converted " + str(count) + " vulnerabilities")
def _generate_stix_bundle(self, country, city, loc, observable_id): # Generate stix bundle country_location = Location( id=OpenCTIStix2Utils.generate_random_stix_id("location"), name=country.name, country=country.official_name if hasattr(country, "official_name") else country.name, custom_properties={ "x_opencti_location_type": "Country", "x_opencti_aliases": [ country.official_name if hasattr(country, "official_name") else country.name ], }, ) loc_split = loc.split(",") city_location = Location( id=OpenCTIStix2Utils.generate_random_stix_id("location"), name=city, country=country.official_name if hasattr(country, "official_name") else country.name, latitude=loc_split[0], longitude=loc_split[1], custom_properties={"x_opencti_location_type": "City"}, ) city_to_country = Relationship( id=OpenCTIStix2Utils.generate_random_stix_id("relationship"), relationship_type="located-at", source_ref=city_location.id, target_ref=country_location.id, ) observable_to_city = Relationship( id=OpenCTIStix2Utils.generate_random_stix_id("relationship"), relationship_type="located-at", source_ref=observable_id, target_ref=city_location.id, confidence=self.helper.connect_confidence_level, ) return Bundle( objects=[ country_location, city_location, city_to_country, observable_to_city, ], allow_custom=True, ).serialize()
def test_entity_create(entity_class, api_stix, opencti_splitter): class_data = entity_class.data() stix_class = entity_class.stix_class() if stix_class is None: return stix_object = stix_class(**class_data) bundle = Bundle(objects=[stix_object]).serialize() split_bundle = opencti_splitter.split_bundle(bundle, True, None)[0] bundles_sent = api_stix.import_bundle_from_json(split_bundle, False, None, 0) assert len(bundles_sent) == 1 assert bundles_sent[0]["id"] == stix_object["id"] assert bundles_sent[0]["type"] == stix_object["type"] entity_class.base_class().delete(id=stix_object["id"])
def build(self) -> Bundle: """Build YARA rule bundle.""" # Create bundle with author. bundle_objects = [self.author] # Add object marking definitions to bundle. bundle_objects.extend(self.object_markings) # Create intrusion sets and add to bundle. intrusion_sets = self._create_intrusion_sets() bundle_objects.extend(intrusion_sets) # Create malwares and add to bundle. malwares = self._create_malwares() bundle_objects.extend(malwares) # Intrusion sets use malwares and add to bundle. intrusion_sets_use_malwares = self._create_uses_relationships( intrusion_sets, malwares) bundle_objects.extend(intrusion_sets_use_malwares) # Create indicators and add to bundle. indicators = self._create_indicators() bundle_objects.extend(indicators) # Indicator indicates entities, add to bundle. indicator_indicates = intrusion_sets + malwares indicator_indicates_entities = self._create_indicates_relationships( indicators, indicator_indicates) bundle_objects.extend(indicator_indicates_entities) # Create object references for the report. object_refs = create_object_refs( intrusion_sets, malwares, intrusion_sets_use_malwares, indicators, indicator_indicates_entities, ) # Create reports and add to bundle. reports = self._create_reports(object_refs) bundle_objects.extend(reports) return Bundle(objects=bundle_objects)
def build(self) -> Optional[Bundle]: """Build Kaspersky indicator group bundle.""" # Prepare STIX2 bundle objects with author. bundle_objects = [self.author] # Add object marking definitions to bundle. bundle_objects.extend(self.object_markings) # Create observations. observations = self._create_ioc_observations() if not observations: log.error("No indicators nor observables for %s", self.indicator_group) return None # Get observables and add to bundle. observables = [ o.observable for o in observations if o.observable is not None ] bundle_objects.extend(observables) # Get indicators and to bundle. indicators = [ o.indicator for o in observations if o.indicator is not None ] bundle_objects.extend(indicators) # Get observation relationships and add to bundle. indicators_based_on_observables = [ o.relationship for o in observations if o.relationship is not None ] bundle_objects.extend(indicators_based_on_observables) # Create object references for the report. object_refs = create_object_refs(observables, indicators, indicators_based_on_observables) # Create report and add to bundle. report = self._create_report(object_refs) bundle_objects.append(report) # XXX: Without allow_custom=True the observable with the custom property # will cause an unexpected property (x_opencti_score) error. return Bundle(objects=bundle_objects, allow_custom=True)
def handler(q=False): if q is False: return False request = json.loads(q) pp = pprint.PrettyPrinter(indent=4) pp.pprint(request) if "config" in request: config = request['config'] else: config = {"indent_json_export": None} if config['indent_json_export'] is not None: try: config['indent_json_export'] = int(config['indent_json_export']) except: config['indent_json_export'] = None if 'data' not in request: return False iocList = [] for event in request['data']: for attribute in event["Attribute"]: ioc_type = attribute["type"] ioc_value = attribute["value"] scan_results = attribute["comment"] ioc = create_indicator(ioc_type, ioc_value, scan_results) iocList.append(ioc) bundle = Bundle(iocList) print(bundle) return {'response': [], 'data': str(base64.b64encode(bytes(str(bundle), 'utf-8')), 'utf-8')} return r