def _get_threat_actor_object(value, description=None, crowd_strike_motivations=[]): # 攻撃者情報作成 organisation_name = OrganisationName(value) party_name = PartyName() party_name.add_organisation_name(organisation_name) identity_specification = STIXCIQIdentity3_0() identity_specification.party_name = party_name identity = CIQIdentity3_0Instance() # ThreatActor ta = ThreatActor() ta.identity = identity ta.identity.specification = identity_specification # Title に抽出した Threat Actor 名前 ta.title = value ta.description = description ta.short_description = description ta.identity = identity # motivations 作成 for crowd_strike_motivation in crowd_strike_motivations: ta_motivation = Statement(crowd_strike_motivation['value']) # motivation 追加 ta.add_motivation(ta_motivation) return ta
def convert_identity(ident20): if ("sectors" in ident20 or "contact_information" in ident20 or "labels" in ident20 or "identity_class" in ident20 or "description" in ident20): ident1x = CIQIdentity3_0Instance() id1x = convert_id20(ident20["id"]) ident1x.id_ = id1x if ident20["identity_class"] != "organization": ident1x.name = ident20["name"] if "labels" in ident20: ident1x.roles = ident20["labels"] if ("sectors" in ident20 or "contact_information" in ident20 or "identity_class" in ident20 or "description" in ident20): ident1x.specification = STIXCIQIdentity3_0() if ident20["identity_class"] == "organization": party_name = PartyName() party_name.add_organisation_name(text_type(ident20["name"])) ident1x.specification.party_name = party_name if "sectors" in ident20: first = True for s in ident20["sectors"]: if first: ident1x.specification.organisation_info = \ OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0])) first = False else: warn( "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted", 401, "Identity", "sectors", s) # Identity in 1.x has no description property, use free-text-lines if "identity_class" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "identity_class", ident20["identity_class"]) # Because there is format defined in the specification for this property, it is difficult to # determine how to convert the information probably found within it to the CIQ fields, so it will be put # in the free_text_lines if "contact_information" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "contact_information", ident20["contact_information"]) if "description" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "description", ident20["description"]) else: ident1x = Identity(id_=convert_id20(ident20["id"]), name=ident20["name"]) if "object_marking_refs" in ident20: for m_id in ident20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ident1x, ms, descendants=True) if "granular_markings" in ident20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ident20["id"]) return ident1x
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs): """ This utility functions aids in the creation of an AIS marking and appends it to the provided STIX package. Args: stix_package: A stix.core.STIXPackage object. proprietary: True if marking uses IsProprietary, False for NotProprietary. consent: A string with one of the following values: "EVERYONE", "NONE" or "USG". color: A string that corresponds to TLP values: "WHITE", "GREEN" or "AMBER". **kwargs: Six required keyword arguments that are used to create a CIQ identity object. These are: country_name_code, country_name_code_type, admin_area_name_code, admin_area_name_code_type, organisation_name, industry_type. Raises: ValueError: When keyword arguments are missing. User did not supply correct values for: proprietary, color and consent. Note: The following line is required to register the AIS extension:: >>> import stix.extensions.marking.ais Any Markings under STIX Header will be removed. Please follow the guidelines for `AIS`_. The industry_type keyword argument accepts: a list of string based on defined sectors, a pipe-delimited string of sectors, or a single sector. .. _AIS: https://www.us-cert.gov/ais """ from stix.common import InformationSource from stix.extensions.identity.ciq_identity_3_0 import ( CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address, Country, NameElement, OrganisationInfo, AdministrativeArea) from stix.core.stix_header import STIXHeader from stix.data_marking import MarkingSpecification, Marking args = ('country_name_code', 'country_name_code_type', 'industry_type', 'admin_area_name_code', 'admin_area_name_code_type', 'organisation_name') diff = set(args) - set(kwargs.keys()) if diff: msg = 'All keyword arguments must be provided. Missing: {0}' raise ValueError(msg.format(tuple(diff))) party_name = PartyName() party_name.add_organisation_name(kwargs['organisation_name']) country = Country() country_name = NameElement() country_name.name_code = kwargs['country_name_code'] country_name.name_code_type = kwargs['country_name_code_type'] country.add_name_element(country_name) admin_area = AdministrativeArea() admin_area_name = NameElement() admin_area_name.name_code = kwargs['admin_area_name_code'] admin_area_name.name_code_type = kwargs['admin_area_name_code_type'] admin_area.add_name_element(admin_area_name) address = Address() address.country = country address.administrative_area = admin_area org_info = OrganisationInfo() org_info.industry_type = _validate_and_create_industry_type( kwargs['industry_type']) id_spec = STIXCIQIdentity3_0() id_spec.party_name = party_name id_spec.add_address(address) id_spec.organisation_info = org_info identity = CIQIdentity3_0Instance() identity.specification = id_spec if proprietary is True: proprietary_obj = IsProprietary() consent = 'EVERYONE' elif proprietary is False: proprietary_obj = NotProprietary() else: raise ValueError('proprietary expected True or False.') proprietary_obj.ais_consent = AISConsentType(consent=consent) proprietary_obj.tlp_marking = TLPMarkingType(color=color) ais_marking = AISMarkingStructure() if isinstance(proprietary_obj, IsProprietary): ais_marking.is_proprietary = proprietary_obj else: ais_marking.not_proprietary = proprietary_obj marking_spec = MarkingSpecification() marking_spec.controlled_structure = '//node() | //@*' marking_spec.marking_structures.append(ais_marking) marking_spec.information_source = InformationSource() marking_spec.information_source.identity = identity if not stix_package.stix_header: stix_package.stix_header = STIXHeader() # Removes any other Markings if present. stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs): """ This utility functions aids in the creation of an AIS marking and appends it to the provided STIX package. Args: stix_package: A stix.core.STIXPackage object. proprietary: True if marking uses IsProprietary, False for NotProprietary. consent: A string with one of the following values: "EVERYONE", "NONE" or "USG". color: A string that corresponds to TLP values: "WHITE", "GREEN" or "AMBER". **kwargs: Six required keyword arguments that are used to create a CIQ identity object. These are: country_name_code, country_name_code_type, admin_area_name_code, admin_area_name_code_type, organisation_name, industry_type. Raises: ValueError: When keyword arguments are missing. User did not supply correct values for: proprietary, color and consent. Note: The following line is required to register the AIS extension:: >>> import stix.extensions.marking.ais Any Markings under STIX Header will be removed. Please follow the guidelines for `AIS`_. The industry_type keyword argument accepts: a list of string based on defined sectors, a pipe-delimited string of sectors, or a single sector. .. _AIS: https://www.us-cert.gov/ais """ from stix.common import InformationSource from stix.extensions.identity.ciq_identity_3_0 import ( CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address, Country, NameElement, OrganisationInfo, AdministrativeArea) from stix.core.stix_header import STIXHeader from stix.data_marking import MarkingSpecification, Marking args = ('country_name_code', 'country_name_code_type', 'industry_type', 'admin_area_name_code', 'admin_area_name_code_type', 'organisation_name') diff = set(args) - set(kwargs.keys()) if diff: msg = 'All keyword arguments must be provided. Missing: {0}' raise ValueError(msg.format(tuple(diff))) party_name = PartyName() party_name.add_organisation_name(kwargs['organisation_name']) country = Country() country_name = NameElement() country_name.name_code = kwargs['country_name_code'] country_name.name_code_type = kwargs['country_name_code_type'] country.add_name_element(country_name) admin_area = AdministrativeArea() admin_area_name = NameElement() admin_area_name.name_code = kwargs['admin_area_name_code'] admin_area_name.name_code_type = kwargs['admin_area_name_code_type'] admin_area.add_name_element(admin_area_name) address = Address() address.country = country address.administrative_area = admin_area org_info = OrganisationInfo() org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type']) id_spec = STIXCIQIdentity3_0() id_spec.party_name = party_name id_spec.add_address(address) id_spec.organisation_info = org_info identity = CIQIdentity3_0Instance() identity.specification = id_spec if proprietary is True: proprietary_obj = IsProprietary() consent = 'EVERYONE' elif proprietary is False: proprietary_obj = NotProprietary() else: raise ValueError('proprietary expected True or False.') proprietary_obj.ais_consent = AISConsentType(consent=consent) proprietary_obj.tlp_marking = TLPMarkingType(color=color) ais_marking = AISMarkingStructure() if isinstance(proprietary_obj, IsProprietary): ais_marking.is_proprietary = proprietary_obj else: ais_marking.not_proprietary = proprietary_obj marking_spec = MarkingSpecification() marking_spec.controlled_structure = '//node() | //@*' marking_spec.marking_structures.append(ais_marking) marking_spec.information_source = InformationSource() marking_spec.information_source.identity = identity if not stix_package.stix_header: stix_package.stix_header = STIXHeader() # Removes any other Markings if present. stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking_spec)
# identity.name = 'Bob Ricca' identity_spec = STIXCIQIdentity3_0() identity_spec.add_address(Address(country='Germany')) identity_spec.add_address(Address(country='United States')) identity_spec.add_language('German') identity_spec.add_language('English') identity_spec.add_nationality('American') identity_spec.add_contact_number('727-867-5309') identity_spec.add_electronic_address_identifier('bricca') identity_spec.add_electronic_address_identifier( ElectronicAddressIdentifier(value='*****@*****.**', type_='Email')) party_name = PartyName() party_name.add_person_name('Bob Ricca') party_name.add_person_name('Robert Ricca') party_name.add_organisation_name('ThreatQuotient') identity_spec.party_name = party_name organization = OrganisationInfo(industry_type='Cybersecurity') identity_spec.organisation_info = organization identity.specification = identity_spec victim_targeting.identity = identity domain2 = DomainName() domain2.value = 'www.bobricca.com' observable2 = Observable(domain2) victim_targeting.targeted_technical_details = Observables( Observable(idref=observable2.id_)) ttp2.victim_targeting = victim_targeting ttp2.related_ttps.append(related_ttp) # Related TTP (Exploit; by id)