def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader( title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable( Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def main(): pkg = STIXPackage() affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = "Database" affected_asset.type_.count_affected = 1 affected_asset.business_function_or_role = "Hosts the database for example.com" affected_asset.ownership_class = "Internally-Owned" affected_asset.management_class = "Internally-Managed" affected_asset.location_class = "Internally-Located" property_affected = PropertyAffected() property_affected.property_ = "Confidentiality" property_affected.description_of_effect = "Data was exfiltrated, has not been determined which data or how." property_affected.non_public_data_compromised = "Yes" property_affected.non_public_data_compromised.data_encrypted = False security_effect_nature = NatureOfSecurityEffect() security_effect_nature.append(property_affected) affected_asset.nature_of_security_effect = security_effect_nature affected_assets = AffectedAssets() affected_assets.append(affected_asset) incident = Incident(title="Exfiltration from hr-data1.example.com") incident.affected_assets = affected_assets pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def generate_stix_objects(self): incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid) incident = Incident(id_=incident_id, title=self.misp_event.info) self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp) threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None) if threat_level_name: threat_level_s = "Event Threat Level: {}".format(threat_level_name) self.add_journal_entry(incident, threat_level_s) Tags = {} event_tags = self.misp_event.Tag if event_tags: Tags['event'] = event_tags self.set_tag(incident, event_tags) external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(str(self.misp_event.analysis), None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) self.set_tlp(incident, self.misp_event.distribution, event_tags) self.set_src(incident, self.misp_event.Org.get('name')) self.orgc_name = self.misp_event.Orgc.get('name') self.set_rep(incident) self.ttps = [] self.resolve_attributes(incident, self.misp_event.attributes, Tags) self.resolve_objects(incident, Tags) self.add_related_indicators(incident) return incident
def test_incident(self): i = Incident() i.title = UNICODE_STR i.description = UNICODE_STR i.short_description = UNICODE_STR i2 = round_trip(i) self._test_equal(i, i2)
def main(): pkg = STIXPackage() file_object1 = File() file_object1.file_name = "readme.doc.exe" file_object1.size_in_bytes = 40891 file_object1.add_hash( Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" )) observable1 = Observable(file_object1) file_object2 = File() file_object2.file_name = "readme.doc.exe" file_object2.size_in_bytes = 40891 file_object2.add_hash( Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592" )) observable2 = Observable(file_object2) incident = Incident(title="Malicious files detected") related_observable1 = RelatedObservable( observable1, relationship="Malicious Artifact Detected") related_observable2 = RelatedObservable( observable2, relationship="Malicious Artifact Detected") incident.related_observables.append(related_observable1) incident.related_observables.append(related_observable2) pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def resolveObjects(incident, ttps, objects, eventTags, org): for obj in objects: tmp_incident = Incident() resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org) indicator = Indicator( timestamp=getDateFromTimestamp(int(obj["timestamp"]))) indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"] setProd(indicator, org) if obj["comment"] != "": indicator.description = obj["comment"] tlpTags = eventTags for attr in obj["Attribute"]: tlpTags = mergeTags(tlpTags, attr) setTLP(indicator, obj["distribution"], tlpTags, True) indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")" indicator.description = indicator.title indicator.add_indicator_type("Malware Artifacts") indicator.add_valid_time_position(ValidTime()) indicator.observable_composition_operator = "AND" for rindicator in tmp_incident.related_indicators: if rindicator.item.observable: indicator.add_observable(rindicator.item.observable) relatedIndicator = RelatedIndicator(indicator, relationship=obj["meta-category"]) incident.related_indicators.append(relatedIndicator)
def generateSTIXObjects(event): incident = Incident(id_=namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) threat_level_name = threat_level_mapping.get( event["Event"]["threat_level_id"], None) if threat_level_name: addJournalEntry(incident, "Event Threat Level: " + threat_level_name) ttps = [] eventTags = event["Event"].get("Tag", []) external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"], eventTags) setSrc(incident, event["Event"]["Org"]["name"]) orgc_name = event["Event"]["Orgc"]["name"] setRep(incident, orgc_name) setTag(incident, eventTags) resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags, orgc_name) resolveObjects(incident, ttps, event["Event"]["Object"], eventTags, orgc_name) return [incident, ttps]
def to_stix_incident(obj): """ Creates a STIX Incident object from a CRITs Event. Returns the STIX Incident and the original CRITs Event's releasability list. """ from stix.incident import Incident inc = Incident(title=obj.title, description=obj.description) return (inc, obj.releasability)
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid print("confidence set to %s"%(str(breach.confidence.value))) breach._binding_class.xml_type = typeIncident print("incident set to %s"%(str(breach._binding_class.xml_type))) # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of Company Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def generateSTIXObjects(event): incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"]) setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"])) addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"]) ttps = [] external_id = ExternalID(value=event["Event"]["id"], source="MISP Event") incident.add_external_id(external_id) incident_status_name = status_mapping.get(event["Event"]["analysis"], None) if incident_status_name is not None: incident.status = IncidentStatus(incident_status_name) setTLP(incident, event["Event"]["distribution"]) setOrg(incident, event["Event"]["org"]) resolveAttributes(incident, ttps, event["Attribute"]) return [incident, ttps]
def build_stix(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Intrusion into enterprise network" breach.confidence = "High" # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime( "2014-03-11", "%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime( "2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Unintended Access") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "CyberTech Dynamics" breach.add_victim(victim) # add the impact impact = ImpactAssessment() impact.effects = Effects("Financial Loss") breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def test_embedded_component_direct_marking(self): """Test that embedded STIX components can be directly marked""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(indicator, red_marking) self.assertTrue(container.is_marked(indicator, red_marking))
def getSTIXObject(): # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Parity Wallet Hacked" breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "https://paritytech.io/blog/security-alert.html" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "parity technologies ltd" # set incident-specific timestamps breach.time = incidentTime() breach.title = "The Multi-sig Hack" breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d") #breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d") # add the impact impact = ImpactAssessment() impact.effects = Effects("Estimated Loss of $280m in Ether") breach.impact_assessment = impact # add the victim victim = Identity() victim.name = "Cappasity" breach.add_victim(victim) victim2 = Identity() victim2.name = "Who else ?" breach.add_victim(victim2) # add Information Sources infoSource = InformationSource(); infoSource.add_description("https://news.ycombinator.com/item?id=15642856") infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/") breach.Information_Source = infoSource; stix_package.add_incident(breach) return stix_package
def test_remove_parent_marking_failure(self): """Test that inherited parent markings cannot be removed from children""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(incident, red_marking, descendants=True) self.assertTrue(container.is_marked(incident, red_marking)) self.assertTrue(container.is_marked(indicator, red_marking)) self.assertRaises(errors.MarkingRemovalError, container.remove_marking, indicator, red_marking, True)
def test_embedded_marking_removal(self): """Test that markings can be removed""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(indicator, red_marking) self.assertTrue(container.is_marked(indicator, red_marking)) container.remove_marking(indicator, red_marking) self.assertFalse(container.is_marked(indicator, red_marking))
def test_embedded_component_marking(self): """Test that embedded STIX components are marked according to their parent TLO and global markings""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) amber_marking = generate_marking_spec(generate_amber_marking_struct()) incident = Incident(title="Test") package.add_incident(incident) indicator = Indicator(title="Test") incident.related_indicators.append(indicator) container.add_marking(incident, red_marking, descendants=True) container.add_global(amber_marking) self.assertTrue(container.is_marked(indicator, red_marking)) self.assertTrue(container.is_marked(indicator, amber_marking))
def main(): malware = MalwareInstance() malware.add_name("Poison Ivy") malware.add_type("Remote Access Trojan") ttp = TTP(title="Poison Ivy") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) incident = Incident( title="Detected Poison Ivy beaconing through perimeter firewalls") related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware") incident.leveraged_ttps.append(related_ttp) stix_package = STIXPackage() stix_package.add_ttp(ttp) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def resolve_objects(self, incident, tags): for misp_object in self.misp_event.objects: tlp_tags = None tmp_incident = Incident() tlp_tags = deepcopy(tags) self.resolve_attributes(tmp_incident, misp_object.attributes, tags) indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp))) indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid) self.set_prod(indicator, self.orgc_name) for attribute in misp_object.attributes: tlp_tags = self.merge_tags(tlp_tags, attribute) self.set_tlp(indicator, misp_object.distribution, tlp_tags) title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id) indicator.title = title indicator.description = misp_object.comment if misp_object.comment else title indicator.add_indicator_type("Malware Artifacts") indicator.add_valid_time_position(ValidTime()) indicator.observable_composition_operator = "AND" for rindicator in tmp_incident.related_indicators: if rindicator.item.observable: indicator.add_observable(rindicator.item.observable) relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category']) incident.related_indicators.append(relatedIndicator)
def test_marking_round_trip(self): """Test that get_markings() yields the same number of results after calling to_xml().""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) amber_marking = generate_marking_spec(generate_amber_marking_struct()) incident = Incident(title="Test Incident") package.add_incident(incident) indicator = Indicator(idref="example:Indicator-test-1234") incident.related_indicators.append(indicator) container.add_marking(incident, red_marking, descendants=True) container.add_global(amber_marking) self.assertTrue(container.is_marked(indicator, red_marking)) self.assertTrue(container.is_marked(indicator, amber_marking)) markings = container.get_markings(indicator) self.assertEqual(len(markings), 2) xml = container.to_xml() sio = StringIO(xml.decode("utf-8")) new_xml_container = stixmarx.parse(sio) parsed_indicator = new_xml_container.package.incidents[ 0].related_indicators[0] parsed_markings = new_xml_container.get_markings(parsed_indicator) for x in parsed_markings: print(x.to_dict()) self.assertEqual(len(parsed_markings), 2)
def test_incident_idref_deprecation(self): package = core.STIXPackage() package.add(Incident(idref='test-idref-dep'))
def json2incident(config, src, dest, endpoint, json_, crits_id): '''transform crits events into stix incidents with related indicators''' try: set_id_method(IDGenerator.METHOD_UUID) xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name'] set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) if endpoint == 'events': endpoint_trans = { 'Email': 'emails', 'IP': 'ips', 'Sample': 'samples', 'Domain': 'domains', 'Indicator': 'indicators' } status_trans = { 'New': 'New', 'In Progress': 'Open', 'Analyzed': 'Closed', 'Deprecated': 'Rejected' } incident_ = Incident() incident_.id = xmlns_name + ':incident-' + crits_id incident_.id_ = incident_.id incident_.title = json_['title'] incident_.description = json_['description'] incident_.status = status_trans[json_['status']] # incident_.confidence = json_['confidence']['rating'].capitalize() for r in json_['relationships']: if r.get('relationship', None) not in ['Contains', 'Related_To']: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type='event relationship type ' + r.get('relationship', 'None'), id_=crits_id)) continue if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']: related_observable = RelatedObservable( Observable(idref=xmlns_name + ':observable-' + r['value'])) incident_.related_observables.append(related_observable) elif r['type'] == 'Indicator': related_indicator = RelatedIndicator( Indicator(idref=xmlns_name + ':indicator-' + r['value'])) incident_.related_indicators.append(related_indicator) elif r['type'] == 'Event': related_incident = RelatedIncident( Incident(idref=xmlns_name + ':incident-' + r['value'])) incident_.related_incidents.append(related_incident) return (incident_) else: config['logger'].error( log.log_messages['unsupported_object_error'].format( type_='crits', obj_type=endpoint, id_=crits_id)) return (None) except: e = sys.exc_info()[0] config['logger'].error(log.log_messages['obj_convert_error'].format( src_type='crits', src_obj='event', id_=crits_id, dest_type='stix', dest_obj='incident')) config['logger'].exception(e) return (None)
from stix.core import STIXPackage from stix.incident import Incident from stix.common import InformationSource from cybox.common import Time from datetime import datetime from stix.common import Identity from stix.incident import Time as incidentTime # different type than common:Time from stix.incident import Incident, ImpactAssessment from stix.incident.impact_assessment import Effects from stix.common import References # setup stix document stix_package = STIXPackage() # add incident and confidence breach = Incident() breach.description = "Parity Wallet Hacked" breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = "https://paritytech.io/blog/security-alert.html" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = "parity technologies ltd" # set incident-specific timestamps breach.time = incidentTime()
names.name = ['Operation Sparky', 'Operation Dingo'] campaign.names = names activity = Activity() activity.description = 'Foo' campaign.add_activity(activity) campaign.add_intended_effect(IntendedEffect('Extortion')) campaign.status = CampaignStatus('Ongoing') campaign.confidence = HighMediumLow('Medium') # Related TTP (basic; by id) ttp = TTP(title="Malware Variant XYZ") related_ttp = RelatedTTP(TTP(idref=ttp.id_)) campaign.related_ttps.append(related_ttp) # Related Incident (basic; by id) incident = Incident(title='We got hacked') t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id)
def transform(self, event): stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent( 'Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.' ) })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ 'port_value': event['remote'][1], 'layer4_protocol': 'tcp' }) dest_port = Port.from_dict({ 'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp' }) source_ip = Address.from_dict({ 'address_value': event['remote'][0], 'category': Address.CAT_IPV4 }) dest_ip = Address.from_dict({ 'address_value': event['public_ip'], 'category': Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ 'ip_address': source_ip.to_dict(), 'port': source_port.to_dict() }) dest_address = SocketAddress.from_dict({ 'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ 'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': "IPv4", 'layer4_protocol': "TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': "ESTABLISHED", 'destination_tcp_state': "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
from stix.common import Identity, InformationSource from stix.common.related import (RelatedIndicator, RelatedObservable, RelatedThreatActor, RelatedIncident, RelatedTTP) from stix.core import STIXPackage from stix.incident import AttributedThreatActors, Incident, LeveragedTTPs, Time from stix.indicator import Indicator from stix.threat_actor import ThreatActor from stix.ttp import TTP, Behavior from stix.ttp.behavior import AttackPattern from stix.coa import CourseOfAction fake = Faker() # Basics incident = Incident(title='We got hacked') incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.' # Dates/Times t1 = '2018-08-23T14:00:05.470947+00:00' t2 = '2018-08-22T14:00:05.470947+00:00' t3 = '2018-08-24T14:00:05.470947+00:00' t = Time() t.incident_opened = t1 t.incident_discovery = t1 t.incident_reported = t1 t.first_malicious_action = t2 t.initial_compromise = t2 t.first_data_exfiltration = t2 t.containment_achieved = t3 t.restoration_achieved = t3