def setDates(incident, date, published): timestamp=getDateFromTimestamp(published) incident.timestamp=timestamp incident_time = Time() incident_time.incident_discovery = convertToStixDate(date) incident_time.incident_reported = timestamp incident.time = incident_time
def setDates(incident, date, published): timestamp = getDateFromTimestamp(published) incident.timestamp = timestamp incident_time = Time() incident_time.incident_discovery = convertToStixDate(date) incident_time.incident_reported = timestamp incident.time = incident_time
def set_dates(self, incident, date, published): timestamp = published incident.timestamp = timestamp incident_time = Time() incident_time.incident_discovery = self.convert_to_stix_date(date) incident_time.incident_reported = timestamp incident.time = incident_time
def add_timeline_item(timeline_item, incident): incident_time_item = timeline_item.get('incident') if not incident_time_item: error("Required 'incident' item is missing in 'timeline' item, skipping item") return None incident_date_time = convert_time_item_to_datetime(incident_time_item) if not incident_date_time: return None complete = 0 time = Time() time.initial_compromise = incident_date_time complete += 1 compromise_item = timeline_item.get('compromise') if compromise_item: dt = convert_value_unit_to_datetime(compromise_item, incident_date_time, 'compromise') if dt: complete += 1 time.first_malicious_action = dt discovery_item = timeline_item.get('discovery') containment_item = timeline_item.get('containment') if discovery_item: dt = convert_value_unit_to_datetime(discovery_item, incident_date_time, 'discovery') if dt: complete += 1 time.incident_discovery = dt exfiltration_item = timeline_item.get('exfiltration') if exfiltration_item: dt = convert_value_unit_to_datetime(exfiltration_item, incident_date_time, 'exfiltration') if dt: complete += 1 time.first_data_exfiltration = dt # according to Kevin Thompson (Verizon), containment starts at discovery. Use others if it isn't available if containment_item: if time.incident_discovery: timePoint = time.incident_discovery elif time.first_data_exfiltration: timePoint = time.first_data_exfiltration warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' item is missing or not usable. Using the exfiltration datetime") else: timePoint = incident_date_time warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' and 'exfitration' items are missing or not usable. Using the incident datetime") dt = convert_value_unit_to_datetime(containment_item, timePoint, 'containment') if dt: complete += 1 time.containment_achieved = dt incident.time = time if complete > 3: error("Found a possible good timeline")
from stix.ttp.behavior import AttackPattern from stix.coa import CourseOfAction fake = Faker() # Basics incident = Incident(title='We got hacked') incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.' # Dates/Times t1 = '2018-08-23T14:00:05.470947+00:00' t2 = '2018-08-22T14:00:05.470947+00:00' t3 = '2018-08-24T14:00:05.470947+00:00' t = Time() t.incident_opened = t1 t.incident_discovery = t1 t.incident_reported = t1 t.first_malicious_action = t2 t.initial_compromise = t2 t.first_data_exfiltration = t2 t.containment_achieved = t3 t.restoration_achieved = t3 t.incident_closed = t3 incident.time = t # Additional Attributes incident.add_category('Unauthorized Access') incident.add_intended_effect('Destruction') incident.confidence = 'High' incident.add_discovery_method('NIDS')