def generateThreatActor(attribute):
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def generateThreatActor(attribute):
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def _get_threat_actor_object(value,
description=None,
crowd_strike_motivations=[]):
# 攻撃者情報作成
organisation_name = OrganisationName(value)
party_name = PartyName()
party_name.add_organisation_name(organisation_name)
identity_specification = STIXCIQIdentity3_0()
identity_specification.party_name = party_name
identity = CIQIdentity3_0Instance()
# ThreatActor
ta = ThreatActor()
ta.identity = identity
ta.identity.specification = identity_specification
# Title に抽出した Threat Actor 名前
ta.title = value
ta.description = description
ta.short_description = description
ta.identity = identity
# motivations 作成
for crowd_strike_motivation in crowd_strike_motivations:
ta_motivation = Statement(crowd_strike_motivation['value'])
# motivation 追加
ta.add_motivation(ta_motivation)
return ta
def test_ta(self):
t = ThreatActor()
t.title = UNICODE_STR
t.description = UNICODE_STR
t.short_description = UNICODE_STR
t2 = round_trip(t)
self._test_equal(t, t2)
def test_ta(self):
t = ThreatActor()
t.title = UNICODE_STR
t.description = UNICODE_STR
t.short_description = UNICODE_STR
t2 = round_trip(t)
self._test_equal(t, t2)
def main():
# Creamos el indicador con la información de la que disponemos
threatActor = ThreatActor()
threatActor.title = "Ip/Domain/Hostname"
threatActor.description = ("A threatActor commited with malicious tasks")
threatActor.information_source = ("Malshare")
threatActor.timestamp = ("01/05/2019")
threatActor.identity = ("106.113.123.197")
threatActor.types = ("eCrime Actor - Spam Service")
# Creamos el indicador con la información de la que disponemos
indicator = Indicator()
indicator.title = "Risk Score"
indicator.description = (
"An indicator containing the appropriate Risk Score")
indicator.set_produced_time("01/05/2019")
indicator.likely_impact = ("Risk Score: 2(Medium)")
# Creamos el reporte en STIX, con una brve descripción
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Feeds in STIX format with their Risk Scores"
stix_package.stix_header = stix_header
# Añadimos al reporte el indicador que hemos construido antes
stix_package.add(threatActor)
stix_package.add(indicator)
# Imprimimos el xml en pantalla
print(stix_package.to_xml())
def add_external_or_partner_actor_ttem(item, pkg):
ta = ThreatActor()
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
country_item = item.get('country')
if not country_item:
error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
identity_spec.add_address(address)
ta.identity.specification = identity_spec
motive_item = item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item")
else:
for m in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(m)
ta.add_motivation(motivation)
variety_item = item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = map_actor_variety_item_to_threat_actor_type(v)
ta.add_type(ta_type)
notes_item = item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_ = "example:threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[
"uuid"]
ta.description = attribute["value"]
return ta
def generate_threat_actor(attribute):
ta = ThreatActor(timestamp=attribute.timestamp)
ta.id_ = "{}:threatactor-{}".format(namespace[1], attribute.uuid)
ta.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id)
description = attribute.value
if attribute.comment:
description += " ({})".format(attribute.comment)
ta.description = description
return ta
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def add_actor_item(actor_item, pkg):
ta = ThreatActor()
external_item = actor_item.get('external')
if external_item:
add_external_or_partner_actor_ttem(external_item, pkg)
internal_item = actor_item.get('internal')
if internal_item:
add_internal_actor_item(internal_item, pkg)
# this is a partner of the victim...
partner_item = actor_item.get('partner')
if partner_item:
add_external_or_partner_actor_ttem(partner_item, pkg)
unknown_item = actor_item.get('unknown')
if unknown_item:
notes_item = unknown_item.get('notes')
if notes_item:
ta = ThreatActor()
ta.description = "Notes:" + escape(notes_item)
pkg.add_threat_actor(ta)
def buildThreatActor(input_dict):
threatActor = ThreatActor()
threatActor.title = input_dict["title"]
threatActor.description = input_dict["description"]
if input_dict["identity"]:
threatActor.identity = Identity(input_dict["identity"])
if input_dict["type"]:
threatActor.add_type(input_dict["type"])
if input_dict["motivation"]:
threatActor.add_motivation(input_dict["motivation"])
if input_dict["sophistication"]:
threatActor.add_sophistication(input_dict["sophistication"])
if input_dict["intendedEffect"]:
threatActor.add_intended_effect(input_dict["intendedEffect"])
if input_dict["support"]:
threatActor.add_planning_and_operational_support(input_dict["support"])
if input_dict["confidence"]:
threatActor.confidence = Confidence(input_dict["confidence"])
if input_dict["informationSource"]:
threatActor.information_source = InformationSource(input_dict["informationSource"])
return threatActor
def add_internal_actor_item(internal_item, pkg):
ta = ThreatActor()
motive_item = internal_item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/internal' item")
else:
for item in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(item)
ta.add_motivation(motivation)
# job_change added in 1.3
variety_item = internal_item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/internal' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = ThreatActorType(ThreatActorType.TERM_INSIDER_THREAT)
ta_type.description = v
ta.add_type(ta_type)
notes_item = internal_item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_="example:threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
ta.description = attribute["value"]
return ta