def _generate_stix_bundle(self, country, city, observable_id):
# Generate stix bundle
country_identity = Identity(
name=country.name,
identity_class='group',
custom_properties={
'x_opencti_identity_type': 'country',
'x_opencti_alias': [country.official_name],
}
)
city_identity = Identity(
name=city,
identity_class='group',
custom_properties={
'x_opencti_identity_type': 'city'
}
)
city_to_country = Relationship(
relationship_type='localization',
source_ref=city_identity.id,
target_ref=country_identity.id,
)
observable_to_city = Relationship(
relationship_type='localization',
source_ref=observable_id,
target_ref=city_identity.id,
custom_properties={
'x_opencti_weight': self.helper.connect_confidence_level
}
)
return Bundle(objects=[country_identity, city_identity,
city_to_country, observable_to_city]).serialize()
def rel_fs_store():
cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
fs = FileSystemStore(FS_PATH)
for o in stix_objs:
fs.add(o)
yield fs
for o in stix_objs:
filepath = os.path.join(FS_PATH, o.type, o.id,
_timestamp2filename(o.modified) + '.json')
# Some test-scoped fixtures (e.g. fs_store) delete all campaigns, so by
# the time this module-scoped fixture tears itself down, it may find
# its campaigns already gone, which causes not-found errors.
try:
os.remove(filepath)
except OSError as e:
# 3 is the ERROR_PATH_NOT_FOUND windows error code. Which has an
# errno symbolic value, but not the windows meaning...
if e.errno in (errno.ENOENT, 3):
continue
raise
def create_sector(name: str, author: Identity) -> Identity:
"""Create a sector."""
return Identity(
created_by_ref=author,
name=name,
identity_class="class",
)
def stix_identity(self):
id = Identity(
name="Misinfosec Project",
identity_class="organization",
description="The Misinfosec group is where misinformation and information security people meet and learn from each other.",
)
return id
def create_organization(name: str, author: Optional[Identity] = None) -> Identity:
"""Create an organization."""
return Identity(
created_by_ref=author,
name=name,
identity_class="organization",
)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = Path(
__file__).parent.parent.resolve() / "config.yml"
config = (yaml.load(open(config_file_path, encoding="utf8"),
Loader=yaml.FullLoader)
if config_file_path.is_file() else {})
self.helper = OpenCTIConnectorHelper(config)
self.base_url = get_config_variable("RISKIQ_BASE_URL",
["riskiq", "base_url"], config)
self.interval_sec = get_config_variable("RISKIQ_INTERVAL_SEC",
["riskiq", "interval_sec"],
config)
user = get_config_variable("RISKIQ_USER", ["riskiq", "user"], config)
password = get_config_variable("RISKIQ_PASSWORD",
["riskiq", "password"], config)
# Create the author for all reports.
self.author = Identity(
name=self._DEFAULT_AUTHOR,
identity_class="organization",
description=
" RiskIQ is a cyber security company based in San Francisco, California."
" It provides cloud - based software as a service(SaaS) for organizations"
" to detect phishing, fraud, malware, and other online security threats.",
confidence=self.helper.connect_confidence_level,
)
# Initialization of the client
self.client = RiskIQClient(self.base_url, user, password)
def create_organization(name: str, author: Optional[Identity] = None) -> Identity:
"""Create an organization."""
return Identity(
created_by_ref=author,
name=name,
identity_class="organization",
custom_properties={CustomProperties.IDENTITY_TYPE: "organization"},
)
def create_sector(name: str, author: Identity) -> Identity:
"""Create a sector."""
return Identity(
created_by_ref=author,
name=name,
identity_class="class",
custom_properties={CustomProperties.IDENTITY_TYPE: "sector"},
)
def create_country(name: str, author: Identity) -> Identity:
"""Create a country."""
return Identity(
created_by_ref=author,
name=name,
identity_class="group",
custom_properties={CustomProperties.IDENTITY_TYPE: "country"},
)
def rel_mem_store():
cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
yield MemoryStore(stix_objs)
def create_region(entity: Entity, author: Identity) -> Identity:
"""Create a region"""
custom_properties: Dict[str, Any] = {
CustomProperties.IDENTITY_TYPE: "region"
}
return Identity(
created_by_ref=author,
name=entity.value,
identity_class="group",
custom_properties=custom_properties,
)
def _generate_stix_bundle(self, country, city, observable_id):
# Generate stix bundle
country_identity = Identity(
name=country.name,
identity_class="group",
custom_properties={
"x_opencti_identity_type":
"country",
"x_opencti_alias": [
country.official_name
if hasattr(country, "official_name") else country.name
],
},
)
city_identity = Identity(
name=city,
identity_class="group",
custom_properties={"x_opencti_identity_type": "city"},
)
city_to_country = Relationship(
relationship_type="localization",
source_ref=city_identity.id,
target_ref=country_identity.id,
)
observable_to_city = Relationship(
relationship_type="localization",
source_ref=observable_id,
target_ref=city_identity.id,
custom_properties={
"x_opencti_weight": self.helper.connect_confidence_level,
"x_opencti_ignore_dates": True,
},
)
return Bundle(objects=[
country_identity,
city_identity,
city_to_country,
observable_to_city,
]).serialize()
def create_country(entity: Entity, author: Identity) -> Identity:
"""Create a country"""
custom_properties: Dict[str, Any] = {"x_opencti_location_type": "Country"}
if entity.slug is not None:
custom_properties["x_opencti_aliases"] = [entity.slug.upper()]
return Identity(
created_by_ref=author,
name=entity.value,
country=entity.slug.upper(),
custom_properties=custom_properties,
)
def create_country(entity: Entity, author: Identity) -> Identity:
"""Create a country"""
custom_properties: Dict[str, Any] = {
CustomProperties.IDENTITY_TYPE: "country"
}
if entity.slug is not None:
custom_properties[CustomProperties.ALIASES] = [entity.slug.upper()]
return Identity(
created_by_ref=author,
name=entity.value,
identity_class="group",
custom_properties=custom_properties,
)
def convert(filename, output='output.json'):
# Create the default author
author = Identity(name='The MITRE Corporation',
identity_class='organization')
count = 0
with open(filename) as json_file:
vulnerabilities_bundle = [author]
data = json.load(json_file)
print("Loaded the file")
for cves in data['CVE_Items']:
count += 1
# Get the name
name = cves['cve']['CVE_data_meta']['ID']
# Create external references
external_reference = ExternalReference(
source_name='NIST NVD',
url='https://nvd.nist.gov/vuln/detail/' + name)
external_references = [external_reference]
for reference in cves['cve']['references']['reference_data']:
external_reference = ExternalReference(
source_name=reference['refsource'], url=reference['url'])
external_references.append(external_reference)
# Getting the different fields
description = cves['cve']['description']['description_data'][0][
"value"]
cdate = cves['publishedDate']
mdate = cves['lastModifiedDate']
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def rel_fs_store():
cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
fs = FileSystemStore(FS_PATH)
for o in stix_objs:
fs.add(o)
yield fs
for o in stix_objs:
os.remove(os.path.join(FS_PATH, o.type, o.id + '.json'))
def create_identity(
name: str,
created_by: Optional[Identity] = None,
identity_class: Optional[str] = None,
custom_properties: Optional[Mapping[str, Any]] = None,
) -> Identity:
"""Create an identity."""
if custom_properties is None:
custom_properties = {}
return Identity(
id=_create_random_identifier("identity"),
created_by_ref=created_by,
name=name,
identity_class=identity_class,
custom_properties=custom_properties,
)
def amitt_identity(self):
"""
"""
threat_actors = self.identities.itertuples()
for i in threat_actors:
if i.id == "ID00000":
continue
external_references = []
if i.type == "identity":
refs = self.parse_xlsx_reference_tuples(i.references)
for ref in refs:
try:
reference = ExternalReference(
source_name=ref[1],
url=ref[2],
external_id=ref[0]
)
external_references.append(reference)
except IndexError:
pass
try:
created_date = datetime.strptime(i.whenAdded, "%Y-%m-%d")
except:
created_date = datetime.now()
identity = Identity(
name=i.name,
description=i.summary,
identity_class=i.identityClass,
sectors=i.sectors,
contact_information=i.contactInformation,
created=created_date,
custom_properties={
# "x_published": i.whenAdded,
# "x_source": i.sourceCountry,
# "x_target": i.targetCountry,
"x_identified_via": i.foundVia
},
external_references=external_references
)
self.stix_objects.append(identity)
self.stix_identity_uuid[i.id] = identity.id
def convert(parse_data, output='output.json'):
# Create the default author
author = Identity(name='The MS Bulletin Corporation', identity_class='organization')
print(author)
count = 0
vulnerabilities_bundle = [author]
# Getting modified date
mdate = parse_data["rss"]["channel"]["lastBuildDate"]
for msb in parse_data["rss"]["channel"]["item"]:
count += 1
# Get the name
name = msb["title"]
# Getting the create date
cdate = msb["pubDate"]
# Getting description
description = msb["description"]
# Create external references
external_references = ExternalReference(
source_name="Microsoft Security Bulletin",
url=msb["link"]
)
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(
name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references
)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def __init__(
self,
helper: OpenCTIConnectorHelper,
confidence_level: int,
update_data: bool,
default_marking,
valhalla_client: str,
) -> None:
"""Initialize Valhalla indicator importer."""
self.helper = helper
self.guess_malware = True
self.guess_actor = True
self.confidence_level = confidence_level
self.update_data = update_data
self.default_marking = default_marking
self.valhalla_client = valhalla_client
self.organization = Identity(
name="Nextron Systems GmbH",
identity_class="organization",
description="THOR APT scanner and Valhalla Yara Rule API Provider",
)
self.bundle_objects = []
def run(self):
"""Run RiskIQ connector."""
self.helper.log_info("Starting RiskIQ connector...")
# Create the author for all reports.
# Creating it as a member of the class does not seem to work...
author = Identity(
name=self._DEFAULT_AUTHOR,
identity_class="organization",
description=" RiskIQ is a cyber security company based in San Francisco, California."
" It provides cloud - based software as a service(SaaS) for organizations"
" to detect phishing, fraud, malware, and other online security threats.",
)
while True:
self.helper.log_info("Running RiskIQ connector...")
run_interval = self._CONNECTOR_RUN_INTERVAL_SEC
try:
self.helper.log_info(f"Connector interval sec: {run_interval}")
timestamp = self._current_unix_timestamp()
current_state = self._load_state()
self.helper.log_info(f"[RiskIQ] loaded state: {current_state}")
last_run = self._get_state_value(
current_state, self._STATE_LATEST_RUN_TIMESTAMP
)
if self._is_scheduled(last_run, timestamp):
work_id = self._initiate_work(timestamp)
new_state = current_state.copy()
last_article = self._get_state_value(
current_state, ArticleImporter._LATEST_ARTICLE_TIMESTAMP
)
self.helper.log_info(f"[RiskIQ] last run: {last_run}")
last_article_date = (
timestamp_to_datetime(last_article).date() if last_run else None
)
self.helper.log_debug(
f"[RiskIQ] retrieving data from {last_article_date}"
)
response = self.client.get_articles(last_article_date)
if self.client.is_correct(response):
for article in response["articles"]:
importer = ArticleImporter(self.helper, article, author)
importer_state = importer.run(work_id, current_state)
if importer_state:
self.helper.log_info(
f"[RiskIQ] Updating state {importer_state}"
)
new_state.update(importer_state)
# Set the new state
new_state[
self._STATE_LATEST_RUN_TIMESTAMP
] = self._current_unix_timestamp()
self.helper.log_info(
f"[RiskIQ] Storing new state: {new_state}"
)
self.helper.set_state(new_state)
else:
self.helper.log_warning("[RiskIQ] failed to retrieve articles")
run_interval = self._CONNECTOR_RUN_INTERVAL_SEC
self.helper.log_info(
f"[RiskIQ] next run in {run_interval} seconds"
)
else:
run_interval = self._get_next_interval(
run_interval, timestamp, last_run
)
self.helper.log_info(
f"[RiskIQ] Connector will not run, next run in {run_interval} seconds"
)
self._sleep(delay_sec=run_interval)
except (KeyboardInterrupt, SystemExit):
self.helper.log_info("RiskIQ connector stop")
sys.exit(0)
except Exception as e:
self.helper.log_error(str(e))
sys.exit(0)
def process_events(self, events):
for event in events:
self.helper.log_info("Processing event " + event["Event"]["uuid"])
### Default variables
added_markings = []
added_entities = []
added_object_refs = []
### Pre-process
# Author
author = Identity(
name=event["Event"]["Orgc"]["name"], identity_class="organization"
)
# Elements
event_elements = self.prepare_elements(event["Event"]["Galaxy"], author)
# Markings
if "Tag" in event["Event"]:
event_markings = self.resolve_markings(event["Event"]["Tag"])
else:
event_markings = [TLP_WHITE]
# Tags
event_tags = []
if "Tag" in event["Event"]:
event_tags = self.resolve_tags(event["Event"]["Tag"])
# ExternalReference
event_external_reference = ExternalReference(
source_name=self.helper.connect_name,
external_id=event["Event"]["uuid"],
url=self.misp_url + "/events/view/" + event["Event"]["uuid"],
)
### Get indicators
event_external_references = [event_external_reference]
indicators = []
# Get attributes
for attribute in event["Event"]["Attribute"]:
indicator = self.process_attribute(
author, event_elements, event_markings, [], attribute
)
if attribute["type"] == "link":
event_external_references.append(
ExternalReference(
source_name=attribute["category"],
external_id=attribute["uuid"],
url=attribute["value"],
)
)
if indicator is not None:
indicators.append(indicator)
# Get attributes of objects
objects_relationships = []
for object in event["Event"]["Object"]:
attribute_external_references = []
for attribute in object["Attribute"]:
if attribute["type"] == "link":
attribute_external_references.append(
ExternalReference(
source_name=attribute["category"],
external_id=attribute["uuid"],
url=attribute["value"],
)
)
object_attributes = []
for attribute in object["Attribute"]:
indicator = self.process_attribute(
author,
event_elements,
event_markings,
attribute_external_references,
attribute,
)
if indicator is not None:
indicators.append(indicator)
if (
object["meta-category"] == "file"
and indicator["indicator"].x_opencti_observable_type
in FILETYPES
):
object_attributes.append(indicator)
objects_relationships.extend(
self.process_observable_relations(object_attributes, [])
)
### Prepare the bundle
bundle_objects = [author]
object_refs = []
# Add event markings
for event_marking in event_markings:
if event_marking["id"] not in added_markings:
bundle_objects.append(event_marking)
added_markings.append(event_marking["id"])
# Add event elements
all_event_elements = (
event_elements["intrusion_sets"]
+ event_elements["malwares"]
+ event_elements["tools"]
+ event_elements["attack_patterns"]
)
for event_element in all_event_elements:
if event_element["name"] not in added_object_refs:
object_refs.append(event_element)
added_object_refs.append(event_element["name"])
if event_element["name"] not in added_entities:
bundle_objects.append(event_element)
added_entities.append(event_element["name"])
# Add indicators
for indicator in indicators:
if indicator["indicator"]["id"] not in added_object_refs:
object_refs.append(indicator["indicator"])
added_object_refs.append(indicator["indicator"]["id"])
if indicator["indicator"]["id"] not in added_entities:
bundle_objects.append(indicator["indicator"])
added_entities.append(indicator["indicator"]["id"])
# Add attribute markings
for attribute_marking in indicator["markings"]:
if attribute_marking["id"] not in added_markings:
bundle_objects.append(attribute_marking)
added_markings.append(attribute_marking["id"])
# Add attribute elements
all_attribute_elements = (
indicator["attribute_elements"]["intrusion_sets"]
+ indicator["attribute_elements"]["malwares"]
+ indicator["attribute_elements"]["tools"]
+ indicator["attribute_elements"]["attack_patterns"]
)
for attribute_element in all_attribute_elements:
if attribute_element["name"] not in added_object_refs:
object_refs.append(attribute_element)
added_object_refs.append(attribute_element["name"])
if attribute_element["name"] not in added_entities:
bundle_objects.append(attribute_element)
added_entities.append(attribute_element["name"])
# Add attribute relationships
for relationship in indicator["relationships"]:
object_refs.append(relationship)
bundle_objects.append(relationship)
# Add object_relationships
for object_relationship in objects_relationships:
bundle_objects.append(object_relationship)
### Create the report if needed
if self.misp_create_report and len(object_refs) > 0:
report = Report(
name=event["Event"]["info"],
description=event["Event"]["info"],
published=parse(event["Event"]["date"]),
created_by_ref=author,
object_marking_refs=event_markings,
labels=["threat-report"],
object_refs=object_refs,
external_references=event_external_references,
custom_properties={
"x_opencti_report_class": self.misp_report_class,
"x_opencti_object_status": 2,
"x_opencti_tags": event_tags,
},
)
bundle_objects.append(report)
bundle = Bundle(objects=bundle_objects).serialize()
self.helper.log_info("Sending event STIX2 bundle")
self.helper.send_stix2_bundle(
bundle, None, self.update_existing_data, False
)
def process_events(self, events):
for event in events:
### Default variables
added_markings = []
added_entities = []
added_object_refs = []
### Pre-process
# Author
author = Identity(name=event['Event']['Orgc']['name'], identity_class='organization')
# Elements
event_elements = self.prepare_elements(event['Event']['Galaxy'])
# Markings
if 'Tag' in event['Event']:
event_markings = self.resolve_markings(event['Event']['Tag'])
else:
event_markings = [TLP_WHITE]
# ExternalReference
event_external_reference = ExternalReference(
source_name=self.helper.connect_name,
external_id=event['Event']['uuid'],
url=self.misp_url + '/events/view/' + event['Event']['uuid'])
### Get indicators
indicators = []
# Get attributes
for attribute in event['Event']['Attribute']:
indicator = self.process_attribute(author, event_elements, event_markings, attribute)
if indicator is not None:
indicators.append(indicator)
# Get attributes of objects
objects_relationships = []
for object in event['Event']['Object']:
object_attributes = []
for attribute in object['Attribute']:
indicator = self.process_attribute(author, event_elements, event_markings, attribute)
if indicator is not None:
indicators.append(indicator)
if object['meta-category'] == 'file' and indicator[
'indicator'].x_opencti_observable_type in FILETYPES:
object_attributes.append(indicator)
objects_relationships.extend(self.process_observable_relations(object_attributes, []))
### Prepare the bundle
bundle_objects = [author]
object_refs = []
# Add event markings
for event_marking in event_markings:
if event_marking['id'] not in added_markings:
bundle_objects.append(event_marking)
added_markings.append(event_marking['id'])
# Add event elements
all_event_elements = \
event_elements['intrusion_sets'] + \
event_elements['malwares'] + \
event_elements['tools'] + \
event_elements['attack_patterns']
for event_element in all_event_elements:
if event_element['name'] not in added_object_refs:
object_refs.append(event_element)
added_object_refs.append(event_element['name'])
if event_element['name'] not in added_entities:
bundle_objects.append(event_element)
added_entities.append(event_element['name'])
# Add indicators
for indicator in indicators:
if indicator['indicator']['id'] not in added_object_refs:
object_refs.append(indicator['indicator'])
added_object_refs.append(indicator['indicator']['id'])
if indicator['indicator']['id'] not in added_entities:
bundle_objects.append(indicator['indicator'])
added_entities.append(indicator['indicator']['id'])
# Add attribute markings
for attribute_marking in indicator['markings']:
if attribute_marking['id'] not in added_markings:
bundle_objects.append(attribute_marking)
added_markings.append(attribute_marking['id'])
# Add attribute elements
all_attribute_elements = \
indicator['attribute_elements']['intrusion_sets'] + \
indicator['attribute_elements']['malwares'] + \
indicator['attribute_elements']['tools'] + \
indicator['attribute_elements']['attack_patterns']
for attribute_element in all_attribute_elements:
if attribute_element['name'] not in added_object_refs:
object_refs.append(attribute_element)
added_object_refs.append(attribute_element['name'])
if attribute_element['name'] not in added_entities:
bundle_objects.append(attribute_element)
added_entities.append(attribute_element['name'])
# Add attribute relationships
for relationship in indicator['relationships']:
object_refs.append(relationship)
bundle_objects.append(relationship)
# Add object_relationships
for object_relationship in objects_relationships:
bundle_objects.append(object_relationship)
### Create the report if needed
if self.misp_create_report and len(object_refs) > 0:
report = Report(
name=event['Event']['info'],
description=event['Event']['info'],
published=parse(event['Event']['date']),
created_by_ref=author,
object_marking_refs=event_markings,
labels=['threat-report'],
object_refs=object_refs,
external_references=[event_external_reference],
custom_properties={
'x_opencti_report_class': self.misp_report_class,
'x_opencti_object_status': 2
}
)
bundle_objects.append(report)
bundle = Bundle(objects=bundle_objects).serialize()
self.helper.send_stix2_bundle(bundle, None, self.update_existing_data, False)
logging.info("Title: %s" % args.threat_name)
logging.info("Description: %s" % args.description)
if args.source and args.url:
logging.info("Source Name: %s" % args.source)
logging.info("Reference: %s" % args.url)
if args.output:
logging.info(f"Creating new STIX file '{args.output}'")
all_ioc = []
for fname in args.infile:
with open(fname, "r") as f:
all_ioc.extend(f.read().splitlines())
identity = Identity(name=args.author)
objects = [identity]
malware = Malware(name=args.threat_name,
is_family=False,
description=args.description)
if args.source and args.url:
malware_with_ref = malware.new_version(
external_references=[{
"source_name": args.source,
"url": args.url
}])
objects.append(malware_with_ref)
else:
objects.append(malware)
def process_events(self, events):
for event in events:
generic_actor = ThreatActor(
name='Unknown threats',
labels=['threat-actor'],
description=
'All unknown threats are represented by this pseudo threat actor. This entity helps to organize knowledge and indicators that could not be attributed to any other threats.'
)
added_threats = []
added_markings = []
# Default values
author = Identity(name=event['Event']['Orgc']['name'],
identity_class='organization')
report_threats = self.prepare_threats(event['Event']['Galaxy'])
if 'Tag' in event['Event']:
report_markings = self.resolve_markings(event['Event']['Tag'])
else:
report_markings = []
reference_misp = ExternalReference(
source_name=self.helper.connect_name,
url=self.misp_url + '/events/view/' + event['Event']['uuid'])
# Get all attributes
indicators = []
for attribute in event['Event']['Attribute']:
indicator = self.process_attribute(author, report_threats,
attribute, generic_actor)
if indicator is not None:
indicators.append(indicator)
# get all attributes of object
for object in event['Event']['Object']:
for attribute in object['Attribute']:
indicator = self.process_attribute(author, report_threats,
attribute,
generic_actor)
if indicator is not None:
indicators.append(indicator)
bundle_objects = [author]
report_refs = []
for report_marking in report_markings:
if report_marking['id'] not in added_markings:
bundle_objects.append(report_marking)
added_markings.append(report_marking['id'])
for report_threat in report_threats:
report_refs.append(report_threat)
bundle_objects.append(report_threat)
added_threats.append(report_threat['name'])
for indicator in indicators:
report_refs.append(indicator['indicator'])
bundle_objects.append(indicator['indicator'])
for attribute_threat in indicator['attribute_threats']:
if attribute_threat['name'] not in added_threats:
report_refs.append(attribute_threat)
bundle_objects.append(attribute_threat)
added_threats.append(attribute_threat['name'])
for marking in indicator['markings']:
if marking['id'] not in added_markings:
bundle_objects.append(marking)
added_markings.append(marking['id'])
for relationship in indicator['relationships']:
report_refs.append(relationship)
bundle_objects.append(relationship)
if len(report_refs) > 0:
report = Report(name=event['Event']['info'],
description=event['Event']['info'],
published=parse(event['Event']['date']),
created_by_ref=author,
object_marking_refs=report_markings,
labels=['threat-report'],
object_refs=report_refs,
external_references=[reference_misp],
custom_properties={
'x_opencti_report_class': 'Threat Report'
})
bundle_objects.append(report)
bundle = Bundle(objects=bundle_objects).serialize()
self.helper.send_stix2_bundle(bundle)
if self.misp_untag_event:
self.misp.untag(event['Event']['uuid'], self.misp_tag)
self.misp.tag(event['Event']['uuid'], self.misp_imported_tag)
def convert(filename, output="output.json"):
# Create the default author
author = Identity(name="The MITRE Corporation",
identity_class="organization")
count = 0
with open(filename) as json_file:
vulnerabilities_bundle = [author]
data = json.load(json_file)
for cves in data["CVE_Items"]:
count += 1
# Get the name
name = cves["cve"]["CVE_data_meta"]["ID"]
# Create external references
external_reference = ExternalReference(
source_name="NIST NVD",
url="https://nvd.nist.gov/vuln/detail/" + name)
external_references = [external_reference]
for reference in cves["cve"]["references"]["reference_data"]:
external_reference = ExternalReference(
source_name=reference["refsource"], url=reference["url"])
external_references.append(external_reference)
# Getting the different fields
description = cves["cve"]["description"]["description_data"][0][
"value"]
base_score = (cves["impact"]["baseMetricV3"]["cvssV3"]["baseScore"]
if "baseMetricV3" in cves["impact"] else None)
base_severity = (
cves["impact"]["baseMetricV3"]["cvssV3"]["baseSeverity"]
if "baseMetricV3" in cves["impact"] else None)
attack_vector = (
cves["impact"]["baseMetricV3"]["cvssV3"]["attackVector"]
if "baseMetricV3" in cves["impact"] else None)
integrity_impact = (
cves["impact"]["baseMetricV3"]["cvssV3"]["integrityImpact"]
if "baseMetricV3" in cves["impact"] else None)
availability_impact = (
cves["impact"]["baseMetricV3"]["cvssV3"]["availabilityImpact"]
if "baseMetricV3" in cves["impact"] else None)
cdate = datetime.datetime.strptime(cves["publishedDate"],
"%Y-%m-%dT%H:%MZ")
mdate = datetime.datetime.strptime(cves["lastModifiedDate"],
"%Y-%m-%dT%H:%MZ")
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(
id=OpenCTIStix2Utils.generate_random_stix_id("vulnerability"),
name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references,
custom_properties={
"x_opencti_base_score": base_score,
"x_opencti_base_severity": base_severity,
"x_opencti_attack_vector": attack_vector,
"x_opencti_integrity_impact": integrity_impact,
"x_opencti_availability_impact": availability_impact,
},
)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
bundle_json = bundle.serialize()
# Write to file
with open(output, "w") as f:
f.write(bundle_json)
def update_list(bundle_id: str, raw_companies_file: str, companies: dict, sectors: dict) -> Bundle:
bundles = []
with open(raw_companies_file) as csv_file:
csv_dict_reader = DictReader(csv_file, delimiter=',')
for row in csv_dict_reader:
if row['createdBy'] == "ANSSI":
creator = anssi
else:
creator = row['createdBy'] # has to be a STIX ID
entity_id = None
entity_creation_date = None
if row['name'] in companies:
entity_id = companies[row['name']]['id']
entity_creation_date = companies[row['name']]['created']
if row['x_opencti_aliases']:
aliases = row['x_opencti_aliases'].split(',')
else:
aliases = []
if row['other_stix_ids']:
stix_ids = row['x_opencti_stix_ids'].split(',')
else:
stix_ids = []
markings = row['objectMarking'].split(',')
company = Identity(
id=entity_id,
name=row['name'],
created=entity_creation_date,
description=row['description'],
contact_information=row['contact_information'],
roles="", # There's no real point for having a role here. Only companies/entities here, no people
identity_class='organization',
created_by_ref=creator,
object_marking_refs=[TLP_WHITE],
custom_properties={
'x_opencti_aliases': aliases,
'x_opencti_organization_type': row['x_opencti_organization_type'],
'x_opencti_stix_ids': stix_ids,
}
)
bundles.append(company)
company_sectors = row['sectors'].split(',')
for company_sector in company_sectors:
if company_sector == '':
print(f"Error: Organization {row['name']} has no Sector assigned!!")
return []
relevant_sector = sectors.get(company_sector, None)
# search through aliases
if relevant_sector is None:
for sector_name, sector in sectors.items():
aliases = sector.get('x_opencti_aliases', [])
if company_sector in aliases:
relevant_sector = sector
if relevant_sector is None:
print(f"Sector '{company_sector}' for company '{row['name']}' can't be found")
continue
relationship_id = None
relationship_name = f"{company.id}_{relevant_sector['id']}"
relationship_creation_date = None
if relationship_name in companies:
relationship_id = companies[relationship_name]['id']
relationship_creation_date = companies[relationship_name]['created']
sector_relationship = Relationship(
id=relationship_id,
created=relationship_creation_date,
relationship_type='part-of',
source_ref=company.id,
target_ref=relevant_sector['id'],
description=f"Company '{row['name']}' is part of sector '{company_sector}'",
confidence=100,
created_by_ref=creator,
object_marking_refs=[TLP_WHITE],
)
bundles.append(sector_relationship)
if bundle_id:
bundle = Bundle(
objects=bundles,
id=bundle_id,
allow_custom=True
)
else:
bundle = Bundle(
objects=bundles,
allow_custom=True
)
return bundle
from csv import DictReader
from stix2 import Bundle, Identity, Relationship, TLP_WHITE
raw_file = '../raw/companies.csv'
out_file = '../data/companies.json'
sector_file = '../data/sectors.json'
geograph_file = '../data/geography.json'
anssi = Identity(
id='identity--7b82b010-b1c0-4dae-981f-7756374a17df',
name="Agence Nationale de la Sécurité des Systèmes d'Information",
description="The Agence nationale de la sécurité des systèmes d'information (ANSSI; English: National Cybersecurity Agency of France) is a French service created on 7 July 2009 with responsibility for computer security.",
identity_class='organization',
object_marking_refs=[TLP_WHITE],
custom_properties={
'x_opencti_aliases': ['ANSSI'],
'x_opencti_organization_type': 'csirt',
}
)
def get_name_and_ids(in_file: str, classes: list):
result_dict = {}
bundle_id = ""
if not os.path.isfile(in_file):
print('No existing STIX file. Starting from scratch')
return result_dict, bundle_id
def _create_author() -> Identity:
return Identity(
name="AlienVault",
identity_class="organization",
custom_properties={CustomProperties.IDENTITY_TYPE: "organization"},
)