def produce(self, tc_data: Union[list, dict], **kwargs): """Produce STIX 2.0 JSON object from TC API response. .. code:: json { "type": "url", "spec_version": "2.1", "id": "url--c1477287-23ac-5971-a010-5c287877fa60", "value": "https://example.com/research/index.html" } """ if isinstance(tc_data, list) and len(tc_data) > 0 and 'summary' in tc_data[0]: indicator_field = 'summary' else: indicator_field = 'text' mapper = { 'id': '@.id', 'value': f'@.{indicator_field}', 'spec_version': '2.1', 'type': 'url', } for stix_data in self._map(tc_data, mapper): yield URL(**stix_data)
def create_observable_url(properties: ObservableProperties) -> URL: """Create an observable representing an URL.""" return URL( value=properties.value, object_marking_refs=properties.object_markings, custom_properties=_get_custom_properties(properties), )
def _process_indicator(self, indicator: Indicator) -> list[_Observable]: """ Process the indicator depending on its type. Parameters ---------- indicator : Indicator One indicator from an article. Returns ------- List of Observable A list of Observable depending on the indicator type. """ indicator_type = indicator["type"] values = indicator["values"] tlp_marking = TLP_WHITE if indicator[ "source"] == "public" else TLP_AMBER if indicator_type == "hash_md5": return [ File( type="file", hashes={"MD5": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type in ["hash_sha1", "sha1"]: return [ File( type="file", hashes={"SHA-1": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type in ["sha256", "hash_sha256"]: return [ File( type="file", hashes={"SHA-256": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type == "domain": return [ DomainName(type="domain-name", value=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in ["email", "emails"]: return [ EmailAddress(type="email-addr", value=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in ["filename", "filepath"]: return [ File(type="file", name=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type == "ip": return [ IPv4Address(type="ipv4-addr", value=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in ["proces_mutex", "process_mutex", "mutex"]: return [ Mutex(type="mutex", name=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type == "url": return [ URL(type="url", value=v, object_marking_refs=tlp_marking, defanged=False) for v in values ] if indicator_type == "certificate_sha1": return [ X509Certificate( type="x509-certificate", hashes={"SHA-1": v}, object_marking_refs=tlp_marking, ) for v in values ] if indicator_type in [ "certificate_issuerorganizationname", "certificate_issuercommonname", ]: return [ X509Certificate(type="x509-certificate", issuer=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in [ "certificate_subjectorganizationname", "certificate_subjectcountry", "certificate_subjectcommonname", ]: return [ X509Certificate(type="x509-certificate", subject=v, object_marking_refs=tlp_marking) for v in values ] if indicator_type in [ "certificate_serialnumber", "code_certificate_serial" ]: return [ X509Certificate( type="x509-certificate", serial_number=v, object_marking_refs=tlp_marking, ) for v in values ] self.helper.log_warning( f"[RiskIQ] indicator with key {indicator_type} not supported. (Values: {values})" ) return []