def data(self) -> Dict: return { "type": ContainerTypes.OBSERVED_DATA.value, "first_observed": get_incident_start_date(), "last_observed": get_incident_end_date(), "number_observed": 50, "objects": [self.ipv4["id"], self.domain["id"]], }
def data(self) -> Dict: return { "type": "Infrastructure", "name": "Poison Ivy C2", "description": "Poison Ivy C2 turning into C3", "first_seen": get_incident_start_date(), "last_seen": get_incident_end_date(), "infrastructure_types": ["command-and-control"], }
def data(self) -> Dict: return { "fromId": self.ttp1["id"], "toId": self.location["id"], "description": "We saw the attacker use Spearphishing Attachment.", "start_date": get_incident_start_date(), "stop_date": get_incident_end_date(), "count": 3 # "lang": "en", }
def data(self) -> Dict: return { "fromId": self.domain["id"], "toId": self.ipv4["id"], "relationship_type": "related-to", "description": "We saw the attacker use Spearphishing Attachment.", "start_date": get_incident_start_date(), "stop_date": get_incident_end_date() # "lang": "en", # "object_refs": [self.ipv4["id"], self.domain["id"]], }
def data(self) -> Dict: return { "type": "StixCoreRelationship", "fromId": self.incident["id"], "toId": self.ttp1["id"], "relationship_type": "uses", "description": "We saw the attacker use Spearphishing Attachment.", "start_date": get_incident_start_date(), "stop_date": get_incident_end_date() # "lang": "en", }
def data(self) -> Dict: return { "type": "Incident", "name": "Green Group Attacks Against Finance", "description": "Incident by Green Group against a targets in the financial services sector.", "aliases": ["GREENEVIL", "GREVIL"], "confidence": 60, "first_seen": get_incident_start_date(), "last_seen": get_incident_end_date(), "objective": "World dominance", }
def data(self) -> Dict: return { "type": "indicator", "name": "C2 server of the new campaign", "description": "This is the C2 server of the campaign", "pattern_type": "stix", "pattern": "[domain-name:value = 'www.5z8.info' AND domain-name:resolves_to_refs[*].value = '198.51.100.1/32']", "x_opencti_main_observable_type": "IPv4-Addr", "confidence": 60, "x_opencti_score": 80, "x_opencti_detection": True, "valid_from": get_incident_start_date(), "valid_until": get_incident_end_date(), "created": get_incident_start_date(), "modified": get_incident_start_date(), "createdBy": self.organization["id"], "objectMarking": [ self.marking_definition_green["id"], self.marking_definition_white["id"], ], "update": True, # TODO killchain phase }