def _get_threat_actor_object(value, description=None, crowd_strike_motivations=[]): # 攻撃者情報作成 organisation_name = OrganisationName(value) party_name = PartyName() party_name.add_organisation_name(organisation_name) identity_specification = STIXCIQIdentity3_0() identity_specification.party_name = party_name identity = CIQIdentity3_0Instance() # ThreatActor ta = ThreatActor() ta.identity = identity ta.identity.specification = identity_specification # Title に抽出した Threat Actor 名前 ta.title = value ta.description = description ta.short_description = description ta.identity = identity # motivations 作成 for crowd_strike_motivation in crowd_strike_motivations: ta_motivation = Statement(crowd_strike_motivation['value']) # motivation 追加 ta.add_motivation(ta_motivation) return ta
def resolveIdentityAttribute(incident, attribute, namespace): ciq_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() if attribute["type"] == 'target-user': identity_spec.party_name = PartyName(person_names=[attribute["value"]]) elif attribute["type"] == 'target-external': # we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine identity_spec.party_name = PartyName( name_lines=["External target: " + attribute["value"]]) elif attribute["type"] == 'target-org': identity_spec.party_name = PartyName( organisation_names=[attribute["value"]]) elif attribute["type"] == 'target-location': identity_spec.add_address( Address(FreeTextAddress(address_lines=[attribute["value"]]))) elif attribute["type"] == 'target-email': identity_spec.add_electronic_address_identifier( ElectronicAddressIdentifier(value=attribute["value"])) ciq_identity.specification = identity_spec ciq_identity.id_ = "example:Identity-" + attribute["uuid"] # is this a good idea? ciq_identity.name = attribute["type"] + ": " + attribute[ "value"] + " (MISP Attribute #" + attribute["id"] + ")" incident.add_victim(ciq_identity) return incident
def convert_identity(ident20): if ("sectors" in ident20 or "contact_information" in ident20 or "labels" in ident20 or "identity_class" in ident20 or "description" in ident20): ident1x = CIQIdentity3_0Instance() id1x = convert_id20(ident20["id"]) ident1x.id_ = id1x if ident20["identity_class"] != "organization": ident1x.name = ident20["name"] if "labels" in ident20: ident1x.roles = ident20["labels"] if ("sectors" in ident20 or "contact_information" in ident20 or "identity_class" in ident20 or "description" in ident20): ident1x.specification = STIXCIQIdentity3_0() if ident20["identity_class"] == "organization": party_name = PartyName() party_name.add_organisation_name(text_type(ident20["name"])) ident1x.specification.party_name = party_name if "sectors" in ident20: first = True for s in ident20["sectors"]: if first: ident1x.specification.organisation_info = \ OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0])) first = False else: warn( "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted", 401, "Identity", "sectors", s) # Identity in 1.x has no description property, use free-text-lines if "identity_class" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "identity_class", ident20["identity_class"]) # Because there is format defined in the specification for this property, it is difficult to # determine how to convert the information probably found within it to the CIQ fields, so it will be put # in the free_text_lines if "contact_information" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "contact_information", ident20["contact_information"]) if "description" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "description", ident20["description"]) else: ident1x = Identity(id_=convert_id20(ident20["id"]), name=ident20["name"]) if "object_marking_refs" in ident20: for m_id in ident20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ident1x, ms, descendants=True) if "granular_markings" in ident20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ident20["id"]) return ident1x
def add_analyst_item(analyst_item, incident): insrc = InformationSource() analyst_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() analyst_identity.specification = identity_spec if analyst_item: partyName = PartyName() partyName.add_name_line(analyst_item) identity_spec.party_name = partyName insrc.identity = analyst_identity incident.reporter = insrc
def main(): f = File() f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") indicator = Indicator() indicator.title = "File Hash Example" indicator.description = "An indicator containing a File observable with an associated hash" indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(datetime.now(tzutc())) indicator.add_object(f) party_name = PartyName(name_lines=["Foo", "Bar"], person_names=["John Smith", "Jill Smith"], organisation_names=["Foo Inc.", "Bar Corp."]) ident_spec = STIXCIQIdentity3_0(party_name=party_name) ident_spec.add_electronic_address_identifier("*****@*****.**") ident_spec.add_free_text_line("Demonstrating Free Text!") ident_spec.add_contact_number("555-555-5555") ident_spec.add_contact_number("555-555-5556") identity = CIQIdentity3_0Instance(specification=ident_spec) indicator.set_producer_identity(identity) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 05" stix_package.stix_header = stix_header stix_package.add_indicator(indicator) xml = stix_package.to_xml() print(xml)
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.party_name = PartyName.from_dict( dict_repr.get('party_name')) return_obj.languages = [ Language.from_dict(x) for x in dict_repr.get('languages', []) ] return_obj.addresses = [ Address.from_dict(x) for x in dict_repr.get('addresses', []) ] return_obj.electronic_address_identifiers = [ ElectronicAddressIdentifier.from_dict(x) for x in dict_repr.get('electronic_address_identifiers', []) ] return_obj.free_text_lines = [ FreeTextLine.from_dict(x) for x in dict_repr.get('free_text_lines', []) ] return_obj.contact_numbers = [ ContactNumber.from_dict(x) for x in dict_repr.get('contact_numbers', []) ] return_obj.organisation_info = OrganisationInfo.from_dict( dict_repr.get('organisation_info')) return return_obj
def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name( OrganisationName("Disco Team", type_="CommonUse")) identity_spec.party_name.add_organisation_name( OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier( "*****@*****.**") identity_spec.add_electronic_address_identifier( "facebook.com/thediscoteam") identity_spec.add_electronic_address_identifier( "twitter.com/realdiscoteam") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print(stix_package.to_xml(encoding=None))
def resolve_identity_attribute(incident, attribute): attribute_type = attribute.type ciq_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() if attribute_type == "target-user": identity_spec.party_name = PartyName(person_names=[attribute.value]) if attribute_type == "target-external": # we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine identity_spec.party_name = PartyName(name_lines=["External target: {}".format(attribute.value)]) elif attribute_type == 'target-org': identity_spec.party_name = PartyName(organisation_names=[attribute.value]) elif attribute_type == 'target-location': identity_spec.add_address(ciq_Address(FreeTextAddress(address_lines=[attribute.value]))) elif attribute_type == 'target-email': identity_spec.add_electronic_address_identifier(ElectronicAddressIdentifier(value=attribute.value)) ciq_identity.specification = identity_spec ciq_identity.id_ = "{}:Identity-{}".format(namespace[1], attribute.uuid) # is this a good idea? ciq_identity.name = "{}: {} (MISP Attribute #{})".format(attribute_type, attribute.value, attribute.id) incident.add_victim(ciq_identity)
def add_victim_item(victim_item, incident): global targets_item victim_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() victim_identity.specification = identity_spec if targets_item: for item in targets_item: victim_identity.add_role(item) country_item = victim_item.get('country') if not country_item: error("Required 'country' item is missing in 'victim' item") else: for c in country_item: address = Address() address.country = Country() address.country.add_name_element(c) state_item = victim_item.get('state') if state_item: address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element(state_item) identity_spec.add_address(address) # no organisationInfo details - https://github.com/STIXProject/python-stix/issues/108 if victim_item.get("employee_count"): warn("'victim/employee_count' item not handled, yet") if victim_item.get("industry"): warn("'victim/industry' item not handled, yet") if victim_item.get("revenue"): warn("'victim/revenue' item not handled, yet") victim_id_item = victim_item.get('victim_id') if victim_id_item: partyName = PartyName() # id might be inappropriate for name partyName.add_name_line(victim_id_item) identity_spec.party_name = partyName incident.add_victim(victim_identity)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs): """ This utility functions aids in the creation of an AIS marking and appends it to the provided STIX package. Args: stix_package: A stix.core.STIXPackage object. proprietary: True if marking uses IsProprietary, False for NotProprietary. consent: A string with one of the following values: "EVERYONE", "NONE" or "USG". color: A string that corresponds to TLP values: "WHITE", "GREEN" or "AMBER". **kwargs: Six required keyword arguments that are used to create a CIQ identity object. These are: country_name_code, country_name_code_type, admin_area_name_code, admin_area_name_code_type, organisation_name, industry_type. Raises: ValueError: When keyword arguments are missing. User did not supply correct values for: proprietary, color and consent. Note: The following line is required to register the AIS extension:: >>> import stix.extensions.marking.ais Any Markings under STIX Header will be removed. Please follow the guidelines for `AIS`_. The industry_type keyword argument accepts: a list of string based on defined sectors, a pipe-delimited string of sectors, or a single sector. .. _AIS: https://www.us-cert.gov/ais """ from stix.common import InformationSource from stix.extensions.identity.ciq_identity_3_0 import ( CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address, Country, NameElement, OrganisationInfo, AdministrativeArea) from stix.core.stix_header import STIXHeader from stix.data_marking import MarkingSpecification, Marking args = ('country_name_code', 'country_name_code_type', 'industry_type', 'admin_area_name_code', 'admin_area_name_code_type', 'organisation_name') diff = set(args) - set(kwargs.keys()) if diff: msg = 'All keyword arguments must be provided. Missing: {0}' raise ValueError(msg.format(tuple(diff))) party_name = PartyName() party_name.add_organisation_name(kwargs['organisation_name']) country = Country() country_name = NameElement() country_name.name_code = kwargs['country_name_code'] country_name.name_code_type = kwargs['country_name_code_type'] country.add_name_element(country_name) admin_area = AdministrativeArea() admin_area_name = NameElement() admin_area_name.name_code = kwargs['admin_area_name_code'] admin_area_name.name_code_type = kwargs['admin_area_name_code_type'] admin_area.add_name_element(admin_area_name) address = Address() address.country = country address.administrative_area = admin_area org_info = OrganisationInfo() org_info.industry_type = _validate_and_create_industry_type( kwargs['industry_type']) id_spec = STIXCIQIdentity3_0() id_spec.party_name = party_name id_spec.add_address(address) id_spec.organisation_info = org_info identity = CIQIdentity3_0Instance() identity.specification = id_spec if proprietary is True: proprietary_obj = IsProprietary() consent = 'EVERYONE' elif proprietary is False: proprietary_obj = NotProprietary() else: raise ValueError('proprietary expected True or False.') proprietary_obj.ais_consent = AISConsentType(consent=consent) proprietary_obj.tlp_marking = TLPMarkingType(color=color) ais_marking = AISMarkingStructure() if isinstance(proprietary_obj, IsProprietary): ais_marking.is_proprietary = proprietary_obj else: ais_marking.not_proprietary = proprietary_obj marking_spec = MarkingSpecification() marking_spec.controlled_structure = '//node() | //@*' marking_spec.marking_structures.append(ais_marking) marking_spec.information_source = InformationSource() marking_spec.information_source.identity = identity if not stix_package.stix_header: stix_package.stix_header = STIXHeader() # Removes any other Markings if present. stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs): """ This utility functions aids in the creation of an AIS marking and appends it to the provided STIX package. Args: stix_package: A stix.core.STIXPackage object. proprietary: True if marking uses IsProprietary, False for NotProprietary. consent: A string with one of the following values: "EVERYONE", "NONE" or "USG". color: A string that corresponds to TLP values: "WHITE", "GREEN" or "AMBER". **kwargs: Six required keyword arguments that are used to create a CIQ identity object. These are: country_name_code, country_name_code_type, admin_area_name_code, admin_area_name_code_type, organisation_name, industry_type. Raises: ValueError: When keyword arguments are missing. User did not supply correct values for: proprietary, color and consent. Note: The following line is required to register the AIS extension:: >>> import stix.extensions.marking.ais Any Markings under STIX Header will be removed. Please follow the guidelines for `AIS`_. The industry_type keyword argument accepts: a list of string based on defined sectors, a pipe-delimited string of sectors, or a single sector. .. _AIS: https://www.us-cert.gov/ais """ from stix.common import InformationSource from stix.extensions.identity.ciq_identity_3_0 import ( CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address, Country, NameElement, OrganisationInfo, AdministrativeArea) from stix.core.stix_header import STIXHeader from stix.data_marking import MarkingSpecification, Marking args = ('country_name_code', 'country_name_code_type', 'industry_type', 'admin_area_name_code', 'admin_area_name_code_type', 'organisation_name') diff = set(args) - set(kwargs.keys()) if diff: msg = 'All keyword arguments must be provided. Missing: {0}' raise ValueError(msg.format(tuple(diff))) party_name = PartyName() party_name.add_organisation_name(kwargs['organisation_name']) country = Country() country_name = NameElement() country_name.name_code = kwargs['country_name_code'] country_name.name_code_type = kwargs['country_name_code_type'] country.add_name_element(country_name) admin_area = AdministrativeArea() admin_area_name = NameElement() admin_area_name.name_code = kwargs['admin_area_name_code'] admin_area_name.name_code_type = kwargs['admin_area_name_code_type'] admin_area.add_name_element(admin_area_name) address = Address() address.country = country address.administrative_area = admin_area org_info = OrganisationInfo() org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type']) id_spec = STIXCIQIdentity3_0() id_spec.party_name = party_name id_spec.add_address(address) id_spec.organisation_info = org_info identity = CIQIdentity3_0Instance() identity.specification = id_spec if proprietary is True: proprietary_obj = IsProprietary() consent = 'EVERYONE' elif proprietary is False: proprietary_obj = NotProprietary() else: raise ValueError('proprietary expected True or False.') proprietary_obj.ais_consent = AISConsentType(consent=consent) proprietary_obj.tlp_marking = TLPMarkingType(color=color) ais_marking = AISMarkingStructure() if isinstance(proprietary_obj, IsProprietary): ais_marking.is_proprietary = proprietary_obj else: ais_marking.not_proprietary = proprietary_obj marking_spec = MarkingSpecification() marking_spec.controlled_structure = '//node() | //@*' marking_spec.marking_structures.append(ais_marking) marking_spec.information_source = InformationSource() marking_spec.information_source.identity = identity if not stix_package.stix_header: stix_package.stix_header = STIXHeader() # Removes any other Markings if present. stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking_spec)
InformationType('Information Assets - User Credentials')) identity = CIQIdentity3_0Instance() # identity.name = 'Bob Ricca' identity_spec = STIXCIQIdentity3_0() identity_spec.add_address(Address(country='Germany')) identity_spec.add_address(Address(country='United States')) identity_spec.add_language('German') identity_spec.add_language('English') identity_spec.add_nationality('American') identity_spec.add_contact_number('727-867-5309') identity_spec.add_electronic_address_identifier('bricca') identity_spec.add_electronic_address_identifier( ElectronicAddressIdentifier(value='*****@*****.**', type_='Email')) party_name = PartyName() party_name.add_person_name('Bob Ricca') party_name.add_person_name('Robert Ricca') party_name.add_organisation_name('ThreatQuotient') identity_spec.party_name = party_name organization = OrganisationInfo(industry_type='Cybersecurity') identity_spec.organisation_info = organization identity.specification = identity_spec victim_targeting.identity = identity domain2 = DomainName() domain2.value = 'www.bobricca.com' observable2 = Observable(domain2) victim_targeting.targeted_technical_details = Observables( Observable(idref=observable2.id_)) ttp2.victim_targeting = victim_targeting