def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader( title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable( Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def generate_stix_objects(self): incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid) incident = Incident(id_=incident_id, title=self.misp_event.info) self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp) threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None) if threat_level_name: threat_level_s = "Event Threat Level: {}".format(threat_level_name) self.add_journal_entry(incident, threat_level_s) Tags = {} event_tags = self.misp_event.Tag if event_tags: Tags['event'] = event_tags self.set_tag(incident, event_tags) external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(str(self.misp_event.analysis), None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) self.set_tlp(incident, self.misp_event.distribution, event_tags) self.set_src(incident, self.misp_event.Org.get('name')) self.orgc_name = self.misp_event.Orgc.get('name') self.set_rep(incident) self.ttps = [] self.resolve_attributes(incident, self.misp_event.attributes, Tags) self.resolve_objects(incident, Tags) self.add_related_indicators(incident) return incident
def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader(title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def main(): pkg = STIXPackage() affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = "Database" affected_asset.type_.count_affected = 1 affected_asset.business_function_or_role = "Hosts the database for example.com" affected_asset.ownership_class = "Internally-Owned" affected_asset.management_class = "Internally-Managed" affected_asset.location_class = "Internally-Located" property_affected = PropertyAffected() property_affected.property_ = "Confidentiality" property_affected.description_of_effect = "Data was exfiltrated, has not been determined which data or how." property_affected.non_public_data_compromised = "Yes" property_affected.non_public_data_compromised.data_encrypted = False security_effect_nature = NatureOfSecurityEffect() security_effect_nature.append(property_affected) affected_asset.nature_of_security_effect = security_effect_nature affected_assets = AffectedAssets() affected_assets.append(affected_asset) incident = Incident(title="Exfiltration from hr-data1.example.com") incident.affected_assets = affected_assets pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def test_incident(self): i = Incident() i.title = UNICODE_STR i.description = UNICODE_STR i.short_description = UNICODE_STR i2 = round_trip(i) self._test_equal(i, i2)
def test_incident(self): i = Incident() i.title = UNICODE_STR i.description = UNICODE_STR i.short_description = UNICODE_STR i2 = round_trip(i) self._test_equal(i, i2)
def generateSTIXObjects(event): incident = Incident(id_=namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) threat_level_name = threat_level_mapping.get( event["Event"]["threat_level_id"], None) if threat_level_name: addJournalEntry(incident, "Event Threat Level: " + threat_level_name) ttps = [] eventTags = event["Event"].get("Tag", []) external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"], eventTags) setSrc(incident, event["Event"]["Org"]["name"]) orgc_name = event["Event"]["Orgc"]["name"] setRep(incident, orgc_name) setTag(incident, eventTags) resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags, orgc_name) resolveObjects(incident, ttps, event["Event"]["Object"], eventTags, orgc_name) return [incident, ttps]
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid breach._binding_class.xml_type = typeIncident # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact #impact = ImpactAssessment() #impact.add_effect("Unintended Access") #breach.impact_assessment = impact affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset #print("asset type: %s"%(breach.affected_assets[0].type_)) # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) #print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents))) # Print the XML! #print(stix_package.to_xml()) return stix_package
def add_related_incidents_item(related_incidents_item, incident): # assuming only one id rIncident = Incident() externalID = ExternalID() externalID.value = related_incidents_item externalID.source = "VERIS" rIncident.add_external_id(externalID) incident.related_incidents.append(rIncident)
def generateSTIXObjects(event): incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"]) ttps = [] external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"]) setOrg(incident, event["Event"]["org"]) resolveAttributes(incident, ttps, event["Attribute"]) return [incident, ttps]
def generateSTIXObjects(event): incident = Incident(id_=namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"]) ttps = [] external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"]) setOrg(incident, event["Event"]["org"]) resolveAttributes(incident, ttps, event["Attribute"]) return [incident, ttps]
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign] if obj.Courses_Of_Action: return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action] if obj.Exploit_Targets: return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target] if obj.Indicators: return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident] if obj.Threat_Actors: return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()] if obj.get_Indicators(): return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()] if obj.get_Observables(): return_obj.observables = Observables.from_obj(obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()] if obj.get_Threat_Actors(): return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def main(): pkg = STIXPackage() file_object1 = File() file_object1.file_name = "readme.doc.exe" file_object1.size_in_bytes = 40891 file_object1.add_hash( Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" )) observable1 = Observable(file_object1) file_object2 = File() file_object2.file_name = "readme.doc.exe" file_object2.size_in_bytes = 40891 file_object2.add_hash( Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592" )) observable2 = Observable(file_object2) incident = Incident(title="Malicious files detected") related_observable1 = RelatedObservable( observable1, relationship="Malicious Artifact Detected") related_observable2 = RelatedObservable( observable2, relationship="Malicious Artifact Detected") incident.related_observables.append(related_observable1) incident.related_observables.append(related_observable2) pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def resolveObjects(incident, ttps, objects, eventTags, org): for obj in objects: tmp_incident = Incident() resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org) indicator = Indicator( timestamp=getDateFromTimestamp(int(obj["timestamp"]))) indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"] setProd(indicator, org) if obj["comment"] != "": indicator.description = obj["comment"] tlpTags = eventTags for attr in obj["Attribute"]: tlpTags = mergeTags(tlpTags, attr) setTLP(indicator, obj["distribution"], tlpTags, True) indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")" indicator.description = indicator.title indicator.add_indicator_type("Malware Artifacts") indicator.add_valid_time_position(ValidTime()) indicator.observable_composition_operator = "AND" for rindicator in tmp_incident.related_indicators: if rindicator.item.observable: indicator.add_observable(rindicator.item.observable) relatedIndicator = RelatedIndicator(indicator, relationship=obj["meta-category"]) incident.related_indicators.append(relatedIndicator)
def build_stix(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Unintended Access") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "CyberTech Dynamics" breach.add_victim(victim) # add the impact impact = ImpactAssessment() impact.effects = Effects("Financial Loss") breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def to_stix_incident(obj): """ Creates a STIX Incident object from a CRITs Event. Returns the STIX Incident and the original CRITs Event's releasability list. """ from stix.incident import Incident inc = Incident(title=obj.title, description=obj.description) return (inc, obj.releasability)
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj( obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [ Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign() ] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [ CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action() ] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target() ] if obj.get_Indicators(): return_obj.indicators = [ Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator() ] if obj.get_Observables(): return_obj.observables = Observables.from_obj( obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [ Incident.from_obj(x) for x in obj.get_Incidents().get_Incident() ] if obj.get_Threat_Actors(): return_obj.threat_actors = [ ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor() ] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def build_stix( ): # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Sample breach report" stix_header.add_package_intent ("Incident") stix_package.stix_header = stix_header # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "Sample Investigations, LLC" # incident time is a complex object with support for a bunch of different "when stuff happened" items breach.time = incidentTime() breach.title = "Breach of Canary Corp" breach.time.incident_discovery = datetime.strptime("2013-01-13", "%Y-%m-%d") # when they submitted it # add the impact impact = ImpactAssessment() impact.add_effect("Financial Loss") breach.impact_assessment = impact # add the victim breach.add_victim ("Canary Corp") stix_package.add_incident(breach) return stix_package
def test_embedded_component_direct_marking(self): """Test that embedded STIX components can be directly marked""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(indicator, red_marking) self.assertTrue(container.is_marked(indicator, red_marking))
def test_remove_parent_marking_failure(self): """Test that inherited parent markings cannot be removed from children""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(incident, red_marking, descendants=True) self.assertTrue(container.is_marked(incident, red_marking)) self.assertTrue(container.is_marked(indicator, red_marking)) self.assertRaises(errors.MarkingRemovalError, container.remove_marking, indicator, red_marking, True)
def test_embedded_marking_removal(self): """Test that markings can be removed""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(indicator, red_marking) self.assertTrue(container.is_marked(indicator, red_marking)) container.remove_marking(indicator, red_marking) self.assertFalse(container.is_marked(indicator, red_marking))
def test_embedded_component_marking(self): """Test that embedded STIX components are marked according to their parent TLO and global markings""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) amber_marking = generate_marking_spec(generate_amber_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(incident, red_marking, descendants=True) container.add_global(amber_marking) self.assertTrue(container.is_marked(indicator, red_marking)) self.assertTrue(container.is_marked(indicator, amber_marking))
def build_stix( ): # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Sample breach report" stix_header.add_package_intent ("Incident") # stamp with creator stix_header.information_source = InformationSource() stix_header.information_source.description = "The person who reported it" stix_header.information_source.identity = Identity() stix_header.information_source.identity.name = "Infosec Operations Team" stix_package.stix_header = stix_header # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of Cyber Tech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.add_effect("Unintended Access") breach.impact_assessment = impact # add the victim breach.add_victim ("Cyber Tech Dynamics") stix_package.add_incident(breach) return stix_package
def main(): malware = MalwareInstance() malware.add_name("Poison Ivy") malware.add_type("Remote Access Trojan") ttp = TTP(title="Poison Ivy") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) incident = Incident( title="Detected Poison Ivy beaconing through perimeter firewalls") related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware") incident.leveraged_ttps.append(related_ttp) stix_package = STIXPackage() stix_package.add_ttp(ttp) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def json2incident(config, src, dest, endpoint, json_, crits_id): '''transform crits events into stix incidents with related indicators''' try: set_id_method(IDGenerator.METHOD_UUID) xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name'] set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) if endpoint == 'events': endpoint_trans = {'Email': 'emails', 'IP': 'ips', 'Sample': 'samples', 'Domain': 'domains', 'Indicator': 'indicators'} status_trans = {'New': 'New', 'In Progress': 'Open', 'Analyzed': 'Closed', 'Deprecated': 'Rejected'} incident_ = Incident() incident_.id = xmlns_name + ':incident-' + crits_id incident_.id_ = incident_.id incident_.title = json_['title'] incident_.description = json_['description'] incident_.status = status_trans[json_['status']] # incident_.confidence = json_['confidence']['rating'].capitalize() for r in json_['relationships']: if r.get('relationship', None) not in ['Contains', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='event relationship type ' + r.get('relationship', 'None'), id_=crits_id)) continue if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']: related_observable = RelatedObservable(Observable(idref=xmlns_name + ':observable-' + r['value'])) incident_.related_observables.append(related_observable) elif r['type'] == 'Indicator': related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value'])) incident_.related_indicators.append(related_indicator) elif r['type'] == 'Event': related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value'])) incident_.related_incidents.append(related_incident) return(incident_) else: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type=endpoint, id_=crits_id)) return(None) except: e = sys.exc_info()[0] config['logger'].error(log.log_messages['obj_convert_error'].format( src_type='crits', src_obj='event', id_=crits_id, dest_type='stix', dest_obj='incident')) config['logger'].exception(e) return(None)
def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref = dict_repr.get('idref', None) return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None)) return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])] return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])] return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])] return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])] return_obj.observables = Observables.from_dict(dict_repr.get('observables')) return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])] return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])] return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages')) return return_obj
def resolve_objects(self, incident, tags): for misp_object in self.misp_event.objects: tlp_tags = None tmp_incident = Incident() tlp_tags = deepcopy(tags) self.resolve_attributes(tmp_incident, misp_object.attributes, tags) indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp))) indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid) self.set_prod(indicator, self.orgc_name) for attribute in misp_object.attributes: tlp_tags = self.merge_tags(tlp_tags, attribute) self.set_tlp(indicator, misp_object.distribution, tlp_tags) title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id) indicator.title = title indicator.description = misp_object.comment if misp_object.comment else title indicator.add_indicator_type("Malware Artifacts") indicator.add_valid_time_position(ValidTime()) indicator.observable_composition_operator = "AND" for rindicator in tmp_incident.related_indicators: if rindicator.item.observable: indicator.add_observable(rindicator.item.observable) relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category']) incident.related_indicators.append(relatedIndicator)
def test_marking_round_trip(self): """Test that get_markings() yields the same number of results after calling to_xml().""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) amber_marking = generate_marking_spec(generate_amber_marking_struct()) incident = Incident(title="Test Incident") package.add_incident(incident) indicator = Indicator(idref="example:Indicator-test-1234") incident.related_indicators.append(indicator) container.add_marking(incident, red_marking, descendants=True) container.add_global(amber_marking) self.assertTrue(container.is_marked(indicator, red_marking)) self.assertTrue(container.is_marked(indicator, amber_marking)) markings = container.get_markings(indicator) self.assertEqual(len(markings), 2) xml = container.to_xml() sio = StringIO(xml.decode("utf-8")) new_xml_container = stixmarx.parse(sio) parsed_indicator = new_xml_container.package.incidents[ 0].related_indicators[0] parsed_markings = new_xml_container.get_markings(parsed_indicator) for x in parsed_markings: print(x.to_dict()) self.assertEqual(len(parsed_markings), 2)
def convert_file(ifn, ofn, vcdb): global cve_info global targets_item cve_info = [] targets_item = None with open(ifn) as json_data: veris_item = json.load(json_data) json_data.close() schema_version_item = veris_item.get("schema_version") if not schema_version_item: error("The 'schema_version' item is required") elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"): error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item) return pkg = STIXPackage() action_item = veris_item.get('action') if not action_item: error("The 'action' item is required") else: add_action_item(action_item, pkg) add_cve_info(pkg) actor_item = veris_item.get('actor') if not actor_item: error("The 'actor' item is required") else: add_actor_item(actor_item, pkg) incident = Incident() pkg.add_incident(incident) asset_item = veris_item.get('asset') if not asset_item: error("The 'asset' item is required") else: attribute_item = veris_item.get('attribute') add_asset_item(asset_item, attribute_item, incident) # added as 1.3 campaign_id_item = veris_item.get('campaign_id') if campaign_id_item: add_campaign_item(campaign_id_item, pkg) confidence_item = veris_item.get('confidence') if confidence_item: add_confidence_item(confidence_item, incident) #control_failure - not found in data if veris_item.get('control_failure'): warn("'control_failure' item not handled, yet") corrective_action_item = veris_item.get('corrective_action') cost_corrective_action_item = veris_item.get('cost_corrective_action') if corrective_action_item or cost_corrective_action_item: add_coa_items(corrective_action_item, cost_corrective_action_item, pkg) discovery_method_item = veris_item.get('discovery_method') if not discovery_method_item: error("The 'discovery_method' item is required") else: incident.add_discovery_method(map_discovey_method(discovery_method_item)) discovery_notes_item = veris_item.get('discovery_notes') if discovery_notes_item: warn("'discovery_notes' item not handled yet") impact_item = veris_item.get('impact') if impact_item: add_impact_item(impact_item, incident) incident_id_item = veris_item.get('incident_id') if not incident_id_item: error("The 'incident_id' item is required") else: external_id = ExternalID() external_id.value = incident_id_item external_id.source = "VERIS" incident.add_external_id(external_id) notes_item = veris_item.get('notes') if notes_item: pkg.stix_header = STIXHeader() pkg.stix_header.title = "Notes: " + notes_item # plus item for records from VCDB have some known useful information if vcdb: plus_item = veris_item.get('plus') if plus_item: add_plus_item(plus_item, incident, pkg) # removed as of 1.3 - see campaign_id # related_incidents_item = veris_item.get('related_incidents') # if related_incidents_item: # add_related_incidents_item(related_incidents_item, incident) security_incident_item = veris_item.get('security_incident') if not security_incident_item: error("The 'security_incident' item is required") else: incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item) reference_item = veris_item.get('reference') source_id_item = veris_item.get('source_id') if source_id_item or reference_item: add_information_source_items(reference_item, source_id_item, schema_version_item, incident) summary_item = veris_item.get('summary') if summary_item: incident.title = summary_item #targeted_item = veris_item.get('targeted') #if targeted_item: timeline_item = veris_item.get('timeline') if not timeline_item: error("The 'timeline' item is required") else: add_timeline_item(timeline_item, incident) victim_item = veris_item.get('victim') if victim_item: add_victim_item(victim_item, incident) add_related(pkg) if not ofn: stixXML = sys.stdout else: stixXML = open(ofn, 'wb') stixXML.write(pkg.to_xml()) stixXML.close()
def transform(self, event): self._set_namespace(self.config['contact_domain'], self.config['contact_name']) stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category(VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append(ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.') })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector") ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'}) dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp'}) source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4}) dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4}) source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()}) dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()}) network_connection = NetworkConnection.from_dict( {'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': u"IPv4", 'layer4_protocol': u"TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': u"ESTABLISHED", 'destination_tcp_state': u"ESTABLISHED", } ) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
def getSTIXObject(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Parity Wallet Hacked" breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "https://paritytech.io/blog/security-alert.html" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "parity technologies ltd" # set incident-specific timestamps breach.time = incidentTime() breach.title = "The Multi-sig Hack" breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d") #breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Estimated Loss of $280m in Ether") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "Cappasity" breach.add_victim(victim) victim2 = Identity() victim2.name = "Who else ?" breach.add_victim(victim2) # add Information Sources infoSource = InformationSource(); infoSource.add_description("https://news.ycombinator.com/item?id=15642856") infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/") breach.Information_Source = infoSource; stix_package.add_incident(breach) return stix_package
def buildIncident(input_dict): # add incident and confidence incident = Incident() incident.description = input_dict['description'] if input_dict['confidence']: incident.confidence = input_dict['confidence'] # add incident reporter incident.reporter = InformationSource() incident.reporter.description = "Person who reported the incident" incident.reporter.time = Time() incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it incident.reporter.identity = Identity() incident.reporter.identity.name = input_dict['submitter'] # incident time is a complex object with support for a bunch of different "when stuff happened" items incident.time = incidentTime() incident.title = "Breach of " + input_dict['organization'] incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it if input_dict['responder']: incident.responders = input_dict['responder'] if input_dict['coordinator']: incident.coordinators = input_dict['coordinator'] if input_dict['intent']: incident.intended_effects = input_dict['intent'] if input_dict['discovery']: incident.discovery_methods = input_dict['discovery'] if input_dict['status']: incident.status = input_dict['status'] if input_dict['compromise']: incident.security_compromise = input_dict['compromise'] # add the impact impact = ImpactAssessment() impact.add_effect(input_dict['damage']) incident.impact_assessment = impact if input_dict['asset']: asset = AffectedAsset() asset.type_ = input_dict['asset'] incident.add_affected_asset (asset) # add the victim incident.add_victim (input_dict['organization']) return incident
def build_stix(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime( "2014-03-11", "%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime( "2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Unintended Access") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "CyberTech Dynamics" breach.add_victim(victim) # add the impact impact = ImpactAssessment() impact.effects = Effects("Financial Loss") breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def test_incident_idref_deprecation(self): package = core.STIXPackage() package.add(Incident(idref='test-idref-dep'))
def json2incident(config, src, dest, endpoint, json_, crits_id): '''transform crits events into stix incidents with related indicators''' try: set_id_method(IDGenerator.METHOD_UUID) xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name'] set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) if endpoint == 'events': endpoint_trans = { 'Email': 'emails', 'IP': 'ips', 'Sample': 'samples', 'Domain': 'domains', 'Indicator': 'indicators' } status_trans = { 'New': 'New', 'In Progress': 'Open', 'Analyzed': 'Closed', 'Deprecated': 'Rejected' } incident_ = Incident() incident_.id = xmlns_name + ':incident-' + crits_id incident_.id_ = incident_.id incident_.title = json_['title'] incident_.description = json_['description'] incident_.status = status_trans[json_['status']] # incident_.confidence = json_['confidence']['rating'].capitalize() for r in json_['relationships']: if r.get('relationship', None) not in ['Contains', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='event relationship type ' + r.get('relationship', 'None'), id_=crits_id)) continue if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']: related_observable = RelatedObservable( Observable(idref=xmlns_name + ':observable-' + r['value'])) incident_.related_observables.append(related_observable) elif r['type'] == 'Indicator': related_indicator = RelatedIndicator( Indicator(idref=xmlns_name + ':indicator-' + r['value'])) incident_.related_indicators.append(related_indicator) elif r['type'] == 'Event': related_incident = RelatedIncident( Incident(idref=xmlns_name + ':incident-' + r['value'])) incident_.related_incidents.append(related_incident) return (incident_) else: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type=endpoint, id_=crits_id)) return (None) except: e = sys.exc_info()[0] config['logger'].error(log.log_messages['obj_convert_error'].format( src_type='crits', src_obj='event', id_=crits_id, dest_type='stix', dest_obj='incident')) config['logger'].exception(e) return (None)
names.name = ['Operation Sparky', 'Operation Dingo'] campaign.names = names activity = Activity() activity.description = 'Foo' campaign.add_activity(activity) campaign.add_intended_effect(IntendedEffect('Extortion')) campaign.status = CampaignStatus('Ongoing') campaign.confidence = HighMediumLow('Medium') # Related TTP (basic; by id) ttp = TTP(title="Malware Variant XYZ") related_ttp = RelatedTTP(TTP(idref=ttp.id_)) campaign.related_ttps.append(related_ttp) # Related Incident (basic; by id) incident = Incident(title='We got hacked') t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id)
def build_stix( input_dict ): # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Incident report for " + input_dict['organization'] stix_header.add_package_intent ("Incident") # Add handling requirements if needed if input_dict['sensitive'] == "True": mark = SimpleMarkingStructure() mark.statement = "Sensitive" mark_spec = MarkingSpecification() mark_spec.marking_structures.append(mark) stix_header.handling = Marking(mark_spec) stix_package.stix_header = stix_header # add incident and confidence incident = Incident() incident.description = input_dict['description'] incident.confidence = input_dict['confidence'] # add incident reporter incident.reporter = InformationSource() incident.reporter.description = "Person who reported the incident" incident.reporter.time = Time() incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it incident.reporter.identity = Identity() incident.reporter.identity.name = input_dict['submitter'] # incident time is a complex object with support for a bunch of different "when stuff happened" items incident.time = incidentTime() incident.title = "Breach of " + input_dict['organization'] incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it # add the impact impact = ImpactAssessment() impact.add_effect(input_dict['damage']) incident.impact_assessment = impact #Add the thing that was stolen jewels = AffectedAsset() jewels.type_ = input_dict['asset'] incident.add_affected_asset (jewels) # add the victim incident.add_victim (input_dict['organization']) stix_package.add_incident(incident) return stix_package
from stix.core import STIXPackage from stix.incident import Incident from stix.common import InformationSource from cybox.common import Time from datetime import datetime from stix.common import Identity from stix.incident import Time as incidentTime # different type than common:Time from stix.incident import Incident, ImpactAssessment from stix.incident.impact_assessment import Effects from stix.common import References # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Parity Wallet Hacked" breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "https://paritytech.io/blog/security-alert.html" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "parity technologies ltd" # set incident-specific timestamps breach.time = incidentTime()
def parse(self, argument_log): """ Parses Suricata IDS log lines into STIX/CybOX format. :param argument_log: The log line to try and identify :return: STIX Incident """ argument_log = " ".join(argument_log.split(" ")[5:]) parsed_suricata_log = {} for regex in self._regex: try: parsed_suricata_log[regex] = re.match(self._regex[regex], argument_log).group(1) except: print "Failed to parse %s" % (regex) return False #TODO: Time Zones parsed_suricata_log["unix_timestamp"] = time.mktime(datetime.datetime.strptime(parsed_suricata_log["time"], "%m/%d/%Y-%H:%M:%S").timetuple()) # Find IP's of interest if IPAddress(parsed_suricata_log["source_ip"]).is_private() == False or IPAddress(parsed_suricata_log["destination_ip"]).is_private() == False: # Name Space stix.utils.idgen.set_id_namespace(Namespace(self._config["NAMESPACE"]["url"], self._config["NAMESPACE"]["name"],"")) stix_package = STIXPackage() # If the source is public if not IPAddress(parsed_suricata_log["source_ip"]).is_private() and IPAddress(parsed_suricata_log["destination_ip"]).is_private(): incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" From "+ parsed_suricata_log["source_ip"]) addr = Address(address_value=parsed_suricata_log["source_ip"], category=Address.CAT_IPV4) elif IPAddress(parsed_suricata_log["source_ip"]).is_private() and not IPAddress(parsed_suricata_log["destination_ip"]).is_private(): incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" To "+ parsed_suricata_log["destination_ip"]) addr = Address(address_value=parsed_suricata_log["destination_ip"], category=Address.CAT_IPV4) else: #public to public - i can't tell who the bad guy is return False observable = Observable(item=addr, title="[IP Associated To IDS Alert] "+parsed_suricata_log["text"], description="""This ip address was seen to be involved in triggering the IDS alert %s if seen from multiple sources, this is a good indicator of a potential threat actor or compromised host""" % (parsed_suricata_log["text"])) stix_package.add_observable(observable) incident.time = Time() incident.time.first_malicious_action = parsed_suricata_log["time"] related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) return stix_package.to_xml()
def buildSTIX(ident, confid, restconfid, effect, resteffect, typeIncident, resttype, asset, restasset, hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value = confid breach._binding_class.xml_type = typeIncident # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime( "2014-03-11", "%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime( "2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact #impact = ImpactAssessment() #impact.add_effect("Unintended Access") #breach.impact_assessment = impact affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset #print("asset type: %s"%(breach.affected_assets[0].type_)) # add the victim breach.add_victim(hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) #print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents))) # Print the XML! #print(stix_package.to_xml()) return stix_package
def transform(self, event): stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent( 'Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.' ) })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ 'port_value': event['remote'][1], 'layer4_protocol': 'tcp' }) dest_port = Port.from_dict({ 'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp' }) source_ip = Address.from_dict({ 'address_value': event['remote'][0], 'category': Address.CAT_IPV4 }) dest_ip = Address.from_dict({ 'address_value': event['public_ip'], 'category': Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ 'ip_address': source_ip.to_dict(), 'port': source_port.to_dict() }) dest_address = SocketAddress.from_dict({ 'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ 'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': "IPv4", 'layer4_protocol': "TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': "ESTABLISHED", 'destination_tcp_state': "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
from stix.common import Identity, InformationSource from stix.common.related import (RelatedIndicator, RelatedObservable, RelatedThreatActor, RelatedIncident, RelatedTTP) from stix.core import STIXPackage from stix.incident import AttributedThreatActors, Incident, LeveragedTTPs, Time from stix.indicator import Indicator from stix.threat_actor import ThreatActor from stix.ttp import TTP, Behavior from stix.ttp.behavior import AttackPattern from stix.coa import CourseOfAction fake = Faker() # Basics incident = Incident(title='We got hacked') incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.' # Dates/Times t1 = '2018-08-23T14:00:05.470947+00:00' t2 = '2018-08-22T14:00:05.470947+00:00' t3 = '2018-08-24T14:00:05.470947+00:00' t = Time() t.incident_opened = t1 t.incident_discovery = t1 t.incident_reported = t1 t.first_malicious_action = t2 t.initial_compromise = t2 t.first_data_exfiltration = t2 t.containment_achieved = t3 t.restoration_achieved = t3