def _generate_stix_bundle(self, country, city, observable_id): # Generate stix bundle country_identity = Identity( name=country.name, identity_class='group', custom_properties={ 'x_opencti_identity_type': 'country', 'x_opencti_alias': [country.official_name], } ) city_identity = Identity( name=city, identity_class='group', custom_properties={ 'x_opencti_identity_type': 'city' } ) city_to_country = Relationship( relationship_type='localization', source_ref=city_identity.id, target_ref=country_identity.id, ) observable_to_city = Relationship( relationship_type='localization', source_ref=observable_id, target_ref=city_identity.id, custom_properties={ 'x_opencti_weight': self.helper.connect_confidence_level } ) return Bundle(objects=[country_identity, city_identity, city_to_country, observable_to_city]).serialize()
def rel_fs_store(): cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS) idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS) ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS) mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS) rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0]) rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1]) rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2]) stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3] fs = FileSystemStore(FS_PATH) for o in stix_objs: fs.add(o) yield fs for o in stix_objs: filepath = os.path.join(FS_PATH, o.type, o.id, _timestamp2filename(o.modified) + '.json') # Some test-scoped fixtures (e.g. fs_store) delete all campaigns, so by # the time this module-scoped fixture tears itself down, it may find # its campaigns already gone, which causes not-found errors. try: os.remove(filepath) except OSError as e: # 3 is the ERROR_PATH_NOT_FOUND windows error code. Which has an # errno symbolic value, but not the windows meaning... if e.errno in (errno.ENOENT, 3): continue raise
def create_sector(name: str, author: Identity) -> Identity: """Create a sector.""" return Identity( created_by_ref=author, name=name, identity_class="class", )
def stix_identity(self): id = Identity( name="Misinfosec Project", identity_class="organization", description="The Misinfosec group is where misinformation and information security people meet and learn from each other.", ) return id
def create_organization(name: str, author: Optional[Identity] = None) -> Identity: """Create an organization.""" return Identity( created_by_ref=author, name=name, identity_class="organization", )
def __init__(self): # Instantiate the connector helper from config config_file_path = Path( __file__).parent.parent.resolve() / "config.yml" config = (yaml.load(open(config_file_path, encoding="utf8"), Loader=yaml.FullLoader) if config_file_path.is_file() else {}) self.helper = OpenCTIConnectorHelper(config) self.base_url = get_config_variable("RISKIQ_BASE_URL", ["riskiq", "base_url"], config) self.interval_sec = get_config_variable("RISKIQ_INTERVAL_SEC", ["riskiq", "interval_sec"], config) user = get_config_variable("RISKIQ_USER", ["riskiq", "user"], config) password = get_config_variable("RISKIQ_PASSWORD", ["riskiq", "password"], config) # Create the author for all reports. self.author = Identity( name=self._DEFAULT_AUTHOR, identity_class="organization", description= " RiskIQ is a cyber security company based in San Francisco, California." " It provides cloud - based software as a service(SaaS) for organizations" " to detect phishing, fraud, malware, and other online security threats.", confidence=self.helper.connect_confidence_level, ) # Initialization of the client self.client = RiskIQClient(self.base_url, user, password)
def create_organization(name: str, author: Optional[Identity] = None) -> Identity: """Create an organization.""" return Identity( created_by_ref=author, name=name, identity_class="organization", custom_properties={CustomProperties.IDENTITY_TYPE: "organization"}, )
def create_sector(name: str, author: Identity) -> Identity: """Create a sector.""" return Identity( created_by_ref=author, name=name, identity_class="class", custom_properties={CustomProperties.IDENTITY_TYPE: "sector"}, )
def create_country(name: str, author: Identity) -> Identity: """Create a country.""" return Identity( created_by_ref=author, name=name, identity_class="group", custom_properties={CustomProperties.IDENTITY_TYPE: "country"}, )
def rel_mem_store(): cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS) idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS) ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS) mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS) rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0]) rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1]) rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2]) stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3] yield MemoryStore(stix_objs)
def create_region(entity: Entity, author: Identity) -> Identity: """Create a region""" custom_properties: Dict[str, Any] = { CustomProperties.IDENTITY_TYPE: "region" } return Identity( created_by_ref=author, name=entity.value, identity_class="group", custom_properties=custom_properties, )
def _generate_stix_bundle(self, country, city, observable_id): # Generate stix bundle country_identity = Identity( name=country.name, identity_class="group", custom_properties={ "x_opencti_identity_type": "country", "x_opencti_alias": [ country.official_name if hasattr(country, "official_name") else country.name ], }, ) city_identity = Identity( name=city, identity_class="group", custom_properties={"x_opencti_identity_type": "city"}, ) city_to_country = Relationship( relationship_type="localization", source_ref=city_identity.id, target_ref=country_identity.id, ) observable_to_city = Relationship( relationship_type="localization", source_ref=observable_id, target_ref=city_identity.id, custom_properties={ "x_opencti_weight": self.helper.connect_confidence_level, "x_opencti_ignore_dates": True, }, ) return Bundle(objects=[ country_identity, city_identity, city_to_country, observable_to_city, ]).serialize()
def create_country(entity: Entity, author: Identity) -> Identity: """Create a country""" custom_properties: Dict[str, Any] = {"x_opencti_location_type": "Country"} if entity.slug is not None: custom_properties["x_opencti_aliases"] = [entity.slug.upper()] return Identity( created_by_ref=author, name=entity.value, country=entity.slug.upper(), custom_properties=custom_properties, )
def create_country(entity: Entity, author: Identity) -> Identity: """Create a country""" custom_properties: Dict[str, Any] = { CustomProperties.IDENTITY_TYPE: "country" } if entity.slug is not None: custom_properties[CustomProperties.ALIASES] = [entity.slug.upper()] return Identity( created_by_ref=author, name=entity.value, identity_class="group", custom_properties=custom_properties, )
def convert(filename, output='output.json'): # Create the default author author = Identity(name='The MITRE Corporation', identity_class='organization') count = 0 with open(filename) as json_file: vulnerabilities_bundle = [author] data = json.load(json_file) print("Loaded the file") for cves in data['CVE_Items']: count += 1 # Get the name name = cves['cve']['CVE_data_meta']['ID'] # Create external references external_reference = ExternalReference( source_name='NIST NVD', url='https://nvd.nist.gov/vuln/detail/' + name) external_references = [external_reference] for reference in cves['cve']['references']['reference_data']: external_reference = ExternalReference( source_name=reference['refsource'], url=reference['url']) external_references.append(external_reference) # Getting the different fields description = cves['cve']['description']['description_data'][0][ "value"] cdate = cves['publishedDate'] mdate = cves['lastModifiedDate'] # Creating the vulnerability with the extracted fields vuln = Vulnerability(name=name, created=cdate, modified=mdate, description=description, created_by_ref=author, external_references=external_references) # Adding the vulnerability to the list of vulnerabilities vulnerabilities_bundle.append(vuln) # Creating the bundle from the list of vulnerabilities bundle = Bundle(vulnerabilities_bundle) # Creating a MemoryStore object from the bundle memorystore = MemoryStore(bundle) # Dumping this object to a file memorystore.save_to_file(output) print("Successfully converted " + str(count) + " vulnerabilities")
def rel_fs_store(): cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS) idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS) ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS) mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS) rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0]) rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1]) rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2]) stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3] fs = FileSystemStore(FS_PATH) for o in stix_objs: fs.add(o) yield fs for o in stix_objs: os.remove(os.path.join(FS_PATH, o.type, o.id + '.json'))
def create_identity( name: str, created_by: Optional[Identity] = None, identity_class: Optional[str] = None, custom_properties: Optional[Mapping[str, Any]] = None, ) -> Identity: """Create an identity.""" if custom_properties is None: custom_properties = {} return Identity( id=_create_random_identifier("identity"), created_by_ref=created_by, name=name, identity_class=identity_class, custom_properties=custom_properties, )
def amitt_identity(self): """ """ threat_actors = self.identities.itertuples() for i in threat_actors: if i.id == "ID00000": continue external_references = [] if i.type == "identity": refs = self.parse_xlsx_reference_tuples(i.references) for ref in refs: try: reference = ExternalReference( source_name=ref[1], url=ref[2], external_id=ref[0] ) external_references.append(reference) except IndexError: pass try: created_date = datetime.strptime(i.whenAdded, "%Y-%m-%d") except: created_date = datetime.now() identity = Identity( name=i.name, description=i.summary, identity_class=i.identityClass, sectors=i.sectors, contact_information=i.contactInformation, created=created_date, custom_properties={ # "x_published": i.whenAdded, # "x_source": i.sourceCountry, # "x_target": i.targetCountry, "x_identified_via": i.foundVia }, external_references=external_references ) self.stix_objects.append(identity) self.stix_identity_uuid[i.id] = identity.id
def convert(parse_data, output='output.json'): # Create the default author author = Identity(name='The MS Bulletin Corporation', identity_class='organization') print(author) count = 0 vulnerabilities_bundle = [author] # Getting modified date mdate = parse_data["rss"]["channel"]["lastBuildDate"] for msb in parse_data["rss"]["channel"]["item"]: count += 1 # Get the name name = msb["title"] # Getting the create date cdate = msb["pubDate"] # Getting description description = msb["description"] # Create external references external_references = ExternalReference( source_name="Microsoft Security Bulletin", url=msb["link"] ) # Creating the vulnerability with the extracted fields vuln = Vulnerability( name=name, created=cdate, modified=mdate, description=description, created_by_ref=author, external_references=external_references ) # Adding the vulnerability to the list of vulnerabilities vulnerabilities_bundle.append(vuln) # Creating the bundle from the list of vulnerabilities bundle = Bundle(vulnerabilities_bundle) # Creating a MemoryStore object from the bundle memorystore = MemoryStore(bundle) # Dumping this object to a file memorystore.save_to_file(output) print("Successfully converted " + str(count) + " vulnerabilities")
def __init__( self, helper: OpenCTIConnectorHelper, confidence_level: int, update_data: bool, default_marking, valhalla_client: str, ) -> None: """Initialize Valhalla indicator importer.""" self.helper = helper self.guess_malware = True self.guess_actor = True self.confidence_level = confidence_level self.update_data = update_data self.default_marking = default_marking self.valhalla_client = valhalla_client self.organization = Identity( name="Nextron Systems GmbH", identity_class="organization", description="THOR APT scanner and Valhalla Yara Rule API Provider", ) self.bundle_objects = []
def run(self): """Run RiskIQ connector.""" self.helper.log_info("Starting RiskIQ connector...") # Create the author for all reports. # Creating it as a member of the class does not seem to work... author = Identity( name=self._DEFAULT_AUTHOR, identity_class="organization", description=" RiskIQ is a cyber security company based in San Francisco, California." " It provides cloud - based software as a service(SaaS) for organizations" " to detect phishing, fraud, malware, and other online security threats.", ) while True: self.helper.log_info("Running RiskIQ connector...") run_interval = self._CONNECTOR_RUN_INTERVAL_SEC try: self.helper.log_info(f"Connector interval sec: {run_interval}") timestamp = self._current_unix_timestamp() current_state = self._load_state() self.helper.log_info(f"[RiskIQ] loaded state: {current_state}") last_run = self._get_state_value( current_state, self._STATE_LATEST_RUN_TIMESTAMP ) if self._is_scheduled(last_run, timestamp): work_id = self._initiate_work(timestamp) new_state = current_state.copy() last_article = self._get_state_value( current_state, ArticleImporter._LATEST_ARTICLE_TIMESTAMP ) self.helper.log_info(f"[RiskIQ] last run: {last_run}") last_article_date = ( timestamp_to_datetime(last_article).date() if last_run else None ) self.helper.log_debug( f"[RiskIQ] retrieving data from {last_article_date}" ) response = self.client.get_articles(last_article_date) if self.client.is_correct(response): for article in response["articles"]: importer = ArticleImporter(self.helper, article, author) importer_state = importer.run(work_id, current_state) if importer_state: self.helper.log_info( f"[RiskIQ] Updating state {importer_state}" ) new_state.update(importer_state) # Set the new state new_state[ self._STATE_LATEST_RUN_TIMESTAMP ] = self._current_unix_timestamp() self.helper.log_info( f"[RiskIQ] Storing new state: {new_state}" ) self.helper.set_state(new_state) else: self.helper.log_warning("[RiskIQ] failed to retrieve articles") run_interval = self._CONNECTOR_RUN_INTERVAL_SEC self.helper.log_info( f"[RiskIQ] next run in {run_interval} seconds" ) else: run_interval = self._get_next_interval( run_interval, timestamp, last_run ) self.helper.log_info( f"[RiskIQ] Connector will not run, next run in {run_interval} seconds" ) self._sleep(delay_sec=run_interval) except (KeyboardInterrupt, SystemExit): self.helper.log_info("RiskIQ connector stop") sys.exit(0) except Exception as e: self.helper.log_error(str(e)) sys.exit(0)
def process_events(self, events): for event in events: self.helper.log_info("Processing event " + event["Event"]["uuid"]) ### Default variables added_markings = [] added_entities = [] added_object_refs = [] ### Pre-process # Author author = Identity( name=event["Event"]["Orgc"]["name"], identity_class="organization" ) # Elements event_elements = self.prepare_elements(event["Event"]["Galaxy"], author) # Markings if "Tag" in event["Event"]: event_markings = self.resolve_markings(event["Event"]["Tag"]) else: event_markings = [TLP_WHITE] # Tags event_tags = [] if "Tag" in event["Event"]: event_tags = self.resolve_tags(event["Event"]["Tag"]) # ExternalReference event_external_reference = ExternalReference( source_name=self.helper.connect_name, external_id=event["Event"]["uuid"], url=self.misp_url + "/events/view/" + event["Event"]["uuid"], ) ### Get indicators event_external_references = [event_external_reference] indicators = [] # Get attributes for attribute in event["Event"]["Attribute"]: indicator = self.process_attribute( author, event_elements, event_markings, [], attribute ) if attribute["type"] == "link": event_external_references.append( ExternalReference( source_name=attribute["category"], external_id=attribute["uuid"], url=attribute["value"], ) ) if indicator is not None: indicators.append(indicator) # Get attributes of objects objects_relationships = [] for object in event["Event"]["Object"]: attribute_external_references = [] for attribute in object["Attribute"]: if attribute["type"] == "link": attribute_external_references.append( ExternalReference( source_name=attribute["category"], external_id=attribute["uuid"], url=attribute["value"], ) ) object_attributes = [] for attribute in object["Attribute"]: indicator = self.process_attribute( author, event_elements, event_markings, attribute_external_references, attribute, ) if indicator is not None: indicators.append(indicator) if ( object["meta-category"] == "file" and indicator["indicator"].x_opencti_observable_type in FILETYPES ): object_attributes.append(indicator) objects_relationships.extend( self.process_observable_relations(object_attributes, []) ) ### Prepare the bundle bundle_objects = [author] object_refs = [] # Add event markings for event_marking in event_markings: if event_marking["id"] not in added_markings: bundle_objects.append(event_marking) added_markings.append(event_marking["id"]) # Add event elements all_event_elements = ( event_elements["intrusion_sets"] + event_elements["malwares"] + event_elements["tools"] + event_elements["attack_patterns"] ) for event_element in all_event_elements: if event_element["name"] not in added_object_refs: object_refs.append(event_element) added_object_refs.append(event_element["name"]) if event_element["name"] not in added_entities: bundle_objects.append(event_element) added_entities.append(event_element["name"]) # Add indicators for indicator in indicators: if indicator["indicator"]["id"] not in added_object_refs: object_refs.append(indicator["indicator"]) added_object_refs.append(indicator["indicator"]["id"]) if indicator["indicator"]["id"] not in added_entities: bundle_objects.append(indicator["indicator"]) added_entities.append(indicator["indicator"]["id"]) # Add attribute markings for attribute_marking in indicator["markings"]: if attribute_marking["id"] not in added_markings: bundle_objects.append(attribute_marking) added_markings.append(attribute_marking["id"]) # Add attribute elements all_attribute_elements = ( indicator["attribute_elements"]["intrusion_sets"] + indicator["attribute_elements"]["malwares"] + indicator["attribute_elements"]["tools"] + indicator["attribute_elements"]["attack_patterns"] ) for attribute_element in all_attribute_elements: if attribute_element["name"] not in added_object_refs: object_refs.append(attribute_element) added_object_refs.append(attribute_element["name"]) if attribute_element["name"] not in added_entities: bundle_objects.append(attribute_element) added_entities.append(attribute_element["name"]) # Add attribute relationships for relationship in indicator["relationships"]: object_refs.append(relationship) bundle_objects.append(relationship) # Add object_relationships for object_relationship in objects_relationships: bundle_objects.append(object_relationship) ### Create the report if needed if self.misp_create_report and len(object_refs) > 0: report = Report( name=event["Event"]["info"], description=event["Event"]["info"], published=parse(event["Event"]["date"]), created_by_ref=author, object_marking_refs=event_markings, labels=["threat-report"], object_refs=object_refs, external_references=event_external_references, custom_properties={ "x_opencti_report_class": self.misp_report_class, "x_opencti_object_status": 2, "x_opencti_tags": event_tags, }, ) bundle_objects.append(report) bundle = Bundle(objects=bundle_objects).serialize() self.helper.log_info("Sending event STIX2 bundle") self.helper.send_stix2_bundle( bundle, None, self.update_existing_data, False )
def process_events(self, events): for event in events: ### Default variables added_markings = [] added_entities = [] added_object_refs = [] ### Pre-process # Author author = Identity(name=event['Event']['Orgc']['name'], identity_class='organization') # Elements event_elements = self.prepare_elements(event['Event']['Galaxy']) # Markings if 'Tag' in event['Event']: event_markings = self.resolve_markings(event['Event']['Tag']) else: event_markings = [TLP_WHITE] # ExternalReference event_external_reference = ExternalReference( source_name=self.helper.connect_name, external_id=event['Event']['uuid'], url=self.misp_url + '/events/view/' + event['Event']['uuid']) ### Get indicators indicators = [] # Get attributes for attribute in event['Event']['Attribute']: indicator = self.process_attribute(author, event_elements, event_markings, attribute) if indicator is not None: indicators.append(indicator) # Get attributes of objects objects_relationships = [] for object in event['Event']['Object']: object_attributes = [] for attribute in object['Attribute']: indicator = self.process_attribute(author, event_elements, event_markings, attribute) if indicator is not None: indicators.append(indicator) if object['meta-category'] == 'file' and indicator[ 'indicator'].x_opencti_observable_type in FILETYPES: object_attributes.append(indicator) objects_relationships.extend(self.process_observable_relations(object_attributes, [])) ### Prepare the bundle bundle_objects = [author] object_refs = [] # Add event markings for event_marking in event_markings: if event_marking['id'] not in added_markings: bundle_objects.append(event_marking) added_markings.append(event_marking['id']) # Add event elements all_event_elements = \ event_elements['intrusion_sets'] + \ event_elements['malwares'] + \ event_elements['tools'] + \ event_elements['attack_patterns'] for event_element in all_event_elements: if event_element['name'] not in added_object_refs: object_refs.append(event_element) added_object_refs.append(event_element['name']) if event_element['name'] not in added_entities: bundle_objects.append(event_element) added_entities.append(event_element['name']) # Add indicators for indicator in indicators: if indicator['indicator']['id'] not in added_object_refs: object_refs.append(indicator['indicator']) added_object_refs.append(indicator['indicator']['id']) if indicator['indicator']['id'] not in added_entities: bundle_objects.append(indicator['indicator']) added_entities.append(indicator['indicator']['id']) # Add attribute markings for attribute_marking in indicator['markings']: if attribute_marking['id'] not in added_markings: bundle_objects.append(attribute_marking) added_markings.append(attribute_marking['id']) # Add attribute elements all_attribute_elements = \ indicator['attribute_elements']['intrusion_sets'] + \ indicator['attribute_elements']['malwares'] + \ indicator['attribute_elements']['tools'] + \ indicator['attribute_elements']['attack_patterns'] for attribute_element in all_attribute_elements: if attribute_element['name'] not in added_object_refs: object_refs.append(attribute_element) added_object_refs.append(attribute_element['name']) if attribute_element['name'] not in added_entities: bundle_objects.append(attribute_element) added_entities.append(attribute_element['name']) # Add attribute relationships for relationship in indicator['relationships']: object_refs.append(relationship) bundle_objects.append(relationship) # Add object_relationships for object_relationship in objects_relationships: bundle_objects.append(object_relationship) ### Create the report if needed if self.misp_create_report and len(object_refs) > 0: report = Report( name=event['Event']['info'], description=event['Event']['info'], published=parse(event['Event']['date']), created_by_ref=author, object_marking_refs=event_markings, labels=['threat-report'], object_refs=object_refs, external_references=[event_external_reference], custom_properties={ 'x_opencti_report_class': self.misp_report_class, 'x_opencti_object_status': 2 } ) bundle_objects.append(report) bundle = Bundle(objects=bundle_objects).serialize() self.helper.send_stix2_bundle(bundle, None, self.update_existing_data, False)
logging.info("Title: %s" % args.threat_name) logging.info("Description: %s" % args.description) if args.source and args.url: logging.info("Source Name: %s" % args.source) logging.info("Reference: %s" % args.url) if args.output: logging.info(f"Creating new STIX file '{args.output}'") all_ioc = [] for fname in args.infile: with open(fname, "r") as f: all_ioc.extend(f.read().splitlines()) identity = Identity(name=args.author) objects = [identity] malware = Malware(name=args.threat_name, is_family=False, description=args.description) if args.source and args.url: malware_with_ref = malware.new_version( external_references=[{ "source_name": args.source, "url": args.url }]) objects.append(malware_with_ref) else: objects.append(malware)
def process_events(self, events): for event in events: generic_actor = ThreatActor( name='Unknown threats', labels=['threat-actor'], description= 'All unknown threats are represented by this pseudo threat actor. This entity helps to organize knowledge and indicators that could not be attributed to any other threats.' ) added_threats = [] added_markings = [] # Default values author = Identity(name=event['Event']['Orgc']['name'], identity_class='organization') report_threats = self.prepare_threats(event['Event']['Galaxy']) if 'Tag' in event['Event']: report_markings = self.resolve_markings(event['Event']['Tag']) else: report_markings = [] reference_misp = ExternalReference( source_name=self.helper.connect_name, url=self.misp_url + '/events/view/' + event['Event']['uuid']) # Get all attributes indicators = [] for attribute in event['Event']['Attribute']: indicator = self.process_attribute(author, report_threats, attribute, generic_actor) if indicator is not None: indicators.append(indicator) # get all attributes of object for object in event['Event']['Object']: for attribute in object['Attribute']: indicator = self.process_attribute(author, report_threats, attribute, generic_actor) if indicator is not None: indicators.append(indicator) bundle_objects = [author] report_refs = [] for report_marking in report_markings: if report_marking['id'] not in added_markings: bundle_objects.append(report_marking) added_markings.append(report_marking['id']) for report_threat in report_threats: report_refs.append(report_threat) bundle_objects.append(report_threat) added_threats.append(report_threat['name']) for indicator in indicators: report_refs.append(indicator['indicator']) bundle_objects.append(indicator['indicator']) for attribute_threat in indicator['attribute_threats']: if attribute_threat['name'] not in added_threats: report_refs.append(attribute_threat) bundle_objects.append(attribute_threat) added_threats.append(attribute_threat['name']) for marking in indicator['markings']: if marking['id'] not in added_markings: bundle_objects.append(marking) added_markings.append(marking['id']) for relationship in indicator['relationships']: report_refs.append(relationship) bundle_objects.append(relationship) if len(report_refs) > 0: report = Report(name=event['Event']['info'], description=event['Event']['info'], published=parse(event['Event']['date']), created_by_ref=author, object_marking_refs=report_markings, labels=['threat-report'], object_refs=report_refs, external_references=[reference_misp], custom_properties={ 'x_opencti_report_class': 'Threat Report' }) bundle_objects.append(report) bundle = Bundle(objects=bundle_objects).serialize() self.helper.send_stix2_bundle(bundle) if self.misp_untag_event: self.misp.untag(event['Event']['uuid'], self.misp_tag) self.misp.tag(event['Event']['uuid'], self.misp_imported_tag)
def convert(filename, output="output.json"): # Create the default author author = Identity(name="The MITRE Corporation", identity_class="organization") count = 0 with open(filename) as json_file: vulnerabilities_bundle = [author] data = json.load(json_file) for cves in data["CVE_Items"]: count += 1 # Get the name name = cves["cve"]["CVE_data_meta"]["ID"] # Create external references external_reference = ExternalReference( source_name="NIST NVD", url="https://nvd.nist.gov/vuln/detail/" + name) external_references = [external_reference] for reference in cves["cve"]["references"]["reference_data"]: external_reference = ExternalReference( source_name=reference["refsource"], url=reference["url"]) external_references.append(external_reference) # Getting the different fields description = cves["cve"]["description"]["description_data"][0][ "value"] base_score = (cves["impact"]["baseMetricV3"]["cvssV3"]["baseScore"] if "baseMetricV3" in cves["impact"] else None) base_severity = ( cves["impact"]["baseMetricV3"]["cvssV3"]["baseSeverity"] if "baseMetricV3" in cves["impact"] else None) attack_vector = ( cves["impact"]["baseMetricV3"]["cvssV3"]["attackVector"] if "baseMetricV3" in cves["impact"] else None) integrity_impact = ( cves["impact"]["baseMetricV3"]["cvssV3"]["integrityImpact"] if "baseMetricV3" in cves["impact"] else None) availability_impact = ( cves["impact"]["baseMetricV3"]["cvssV3"]["availabilityImpact"] if "baseMetricV3" in cves["impact"] else None) cdate = datetime.datetime.strptime(cves["publishedDate"], "%Y-%m-%dT%H:%MZ") mdate = datetime.datetime.strptime(cves["lastModifiedDate"], "%Y-%m-%dT%H:%MZ") # Creating the vulnerability with the extracted fields vuln = Vulnerability( id=OpenCTIStix2Utils.generate_random_stix_id("vulnerability"), name=name, created=cdate, modified=mdate, description=description, created_by_ref=author, external_references=external_references, custom_properties={ "x_opencti_base_score": base_score, "x_opencti_base_severity": base_severity, "x_opencti_attack_vector": attack_vector, "x_opencti_integrity_impact": integrity_impact, "x_opencti_availability_impact": availability_impact, }, ) # Adding the vulnerability to the list of vulnerabilities vulnerabilities_bundle.append(vuln) # Creating the bundle from the list of vulnerabilities bundle = Bundle(vulnerabilities_bundle) bundle_json = bundle.serialize() # Write to file with open(output, "w") as f: f.write(bundle_json)
def update_list(bundle_id: str, raw_companies_file: str, companies: dict, sectors: dict) -> Bundle: bundles = [] with open(raw_companies_file) as csv_file: csv_dict_reader = DictReader(csv_file, delimiter=',') for row in csv_dict_reader: if row['createdBy'] == "ANSSI": creator = anssi else: creator = row['createdBy'] # has to be a STIX ID entity_id = None entity_creation_date = None if row['name'] in companies: entity_id = companies[row['name']]['id'] entity_creation_date = companies[row['name']]['created'] if row['x_opencti_aliases']: aliases = row['x_opencti_aliases'].split(',') else: aliases = [] if row['other_stix_ids']: stix_ids = row['x_opencti_stix_ids'].split(',') else: stix_ids = [] markings = row['objectMarking'].split(',') company = Identity( id=entity_id, name=row['name'], created=entity_creation_date, description=row['description'], contact_information=row['contact_information'], roles="", # There's no real point for having a role here. Only companies/entities here, no people identity_class='organization', created_by_ref=creator, object_marking_refs=[TLP_WHITE], custom_properties={ 'x_opencti_aliases': aliases, 'x_opencti_organization_type': row['x_opencti_organization_type'], 'x_opencti_stix_ids': stix_ids, } ) bundles.append(company) company_sectors = row['sectors'].split(',') for company_sector in company_sectors: if company_sector == '': print(f"Error: Organization {row['name']} has no Sector assigned!!") return [] relevant_sector = sectors.get(company_sector, None) # search through aliases if relevant_sector is None: for sector_name, sector in sectors.items(): aliases = sector.get('x_opencti_aliases', []) if company_sector in aliases: relevant_sector = sector if relevant_sector is None: print(f"Sector '{company_sector}' for company '{row['name']}' can't be found") continue relationship_id = None relationship_name = f"{company.id}_{relevant_sector['id']}" relationship_creation_date = None if relationship_name in companies: relationship_id = companies[relationship_name]['id'] relationship_creation_date = companies[relationship_name]['created'] sector_relationship = Relationship( id=relationship_id, created=relationship_creation_date, relationship_type='part-of', source_ref=company.id, target_ref=relevant_sector['id'], description=f"Company '{row['name']}' is part of sector '{company_sector}'", confidence=100, created_by_ref=creator, object_marking_refs=[TLP_WHITE], ) bundles.append(sector_relationship) if bundle_id: bundle = Bundle( objects=bundles, id=bundle_id, allow_custom=True ) else: bundle = Bundle( objects=bundles, allow_custom=True ) return bundle
from csv import DictReader from stix2 import Bundle, Identity, Relationship, TLP_WHITE raw_file = '../raw/companies.csv' out_file = '../data/companies.json' sector_file = '../data/sectors.json' geograph_file = '../data/geography.json' anssi = Identity( id='identity--7b82b010-b1c0-4dae-981f-7756374a17df', name="Agence Nationale de la Sécurité des Systèmes d'Information", description="The Agence nationale de la sécurité des systèmes d'information (ANSSI; English: National Cybersecurity Agency of France) is a French service created on 7 July 2009 with responsibility for computer security.", identity_class='organization', object_marking_refs=[TLP_WHITE], custom_properties={ 'x_opencti_aliases': ['ANSSI'], 'x_opencti_organization_type': 'csirt', } ) def get_name_and_ids(in_file: str, classes: list): result_dict = {} bundle_id = "" if not os.path.isfile(in_file): print('No existing STIX file. Starting from scratch') return result_dict, bundle_id
def _create_author() -> Identity: return Identity( name="AlienVault", identity_class="organization", custom_properties={CustomProperties.IDENTITY_TYPE: "organization"}, )