def transfer(lisa_file, save_directory):
content = get_content(lisa_file)
if 'error' in content.keys():
return "empty"
malware = create_malware(content)
indicator_list = create_indicator(content)
relation_list = create_relationship(indicator_list, malware)
observed_data_list = create_observed_data(content)
malware_analysis_list = create_malware_analysis(content)
md5 = content['md5']
bundle_list = []
bundle_list.append(malware)
for indicator in indicator_list:
bundle_list.append(indicator)
for relation in relation_list:
bundle_list.append(relation)
for ob in observed_data_list:
bundle_list.append(ob)
for ob in malware_analysis_list:
bundle_list.append(ob)
bundle = Bundle(bundle_list)
bundle_str = bundle.serialize()
stix_file = os.path.join(save_directory, md5 + '.json')
with open(stix_file, "wb") as save:
save.write(bundle_str.encode())
return md5 + '.json'
def main(users_file=USERS_FILE):
# Authentication
reddit = praw.Reddit(**credentials)
# Load list of accounts
subreddits = get_accounts(users_file)['user_to_follow']
observed_data_list = []
# CSV output file
local_filename = "output_" + now.strftime("%Y%m%d_%H%M") + ".csv"
with open(local_filename, mode='w') as csv_file:
writer = csv.DictWriter(csv_file, fieldnames=FIELDS)
writer.writeheader()
for subreddit in subreddits:
print(subreddit)
# We cannot get all posts, so we just get the most recent ones
for result in reddit.subreddit(subreddit).new(limit=POST_LIMIT):
if date_comparison(result):
post_date = datetime.fromtimestamp(result.created_utc)
writer.writerow({'subreddit': result.subreddit, # Subreddit Name
'username': result.fullname, # Username (user ID)
'date': post_date,
'title': result.title, # Post title
'text': result.selftext, # Post text (may be empty)
'json': reddit.request("GET", result.permalink) # Complete Post Json
})
args = {
'source': 'reddit',
'title': result.title,
'text': result.selftext,
'subject': result.subreddit,
}
observed_user = UserAccount(type='user-account', user_id=result.fullname)
observed_object = CSAwareSocial(**args, allow_custom=True)
objects = {"0": observed_user, "1": observed_object}
observed_data = ObservedData(first_observed=post_date, last_observed=post_date, number_observed=1, objects=objects, allow_custom=True)
observed_data_list.append(observed_data)
# STIX Conversion
bundle = Bundle(observed_data_list)
stix_filename = local_filename.replace('.csv', '.json')
stix_output = open(stix_filename, 'w')
stix_output.write(bundle.serialize(indent=4))
stix_output.close()
# Upload to AWS
to_aws(local_filename)
to_aws(stix_filename)
def get_bundle_json(self, target_group):
objects = self.find_groups(target_group)
for obj in objects:
self.find_relationships(obj)
bundle = Bundle(self.searched_objs)
if not os.path.isfile(
'./bundles/{0}-bundle.json'.format(target_group)):
with open('./bundles/{0}-bundle.json'.format(target_group),
'w') as f:
f.write(bundle.serialize())
return bundle
def run(self, results):
self.init()
log.debug("start stix reporter")
syscalls = open(self.analysis_path + "/logs/all.stap", "r").read()
self.CWD = self.find_execution_dir_of_build_script(syscalls)
log.debug("found execution dir")
self.parse_syscalls_to_stix(syscalls)
log.debug("parsed syscalls to stix objects")
stix_malware_analysis = MalwareAnalysis(
type="malware-analysis",
id="malware-analysis--" + str(uuid1()),
product="cuckoo-sandbox",
analysis_sco_refs=self.all_stix_objects,
)
self.all_stix_objects.append(stix_malware_analysis)
self.add_stix_groupings()
log.debug("created stix groupings")
stix_bundle = Bundle(
type="bundle",
id="bundle--" + str(uuid1()),
objects=self.all_stix_objects,
allow_custom=True,
)
log.debug("writing report to disk and serializing it")
self.write_report(stix_bundle)
def _process_hash(self, observable):
hash_value = observable["observable_value"]
artifact_id = None
bundle_objects = []
try:
# Attempt to download the file using the private V3 API method
request_url = (
f"https://www.virustotal.com/api/v3/files/{hash_value}/download"
)
req = urllib.request.Request(request_url, headers=self.headers)
response = urllib.request.urlopen(req)
file_contents = response.read()
assert file_contents is not None
# Get the mime type for the file
mime_type = magic.from_buffer(file_contents, mime=True)
# Upload the file as an Artifact
kwargs = {
"file_name":
hash_value,
"data":
file_contents,
"mime_type":
mime_type,
"x_opencti_description":
f"Downloaded from Virustotal using hash {hash_value}",
}
response = self.helper.api.stix_cyber_observable.upload_artifact(
**kwargs)
self.helper.log_info(response)
artifact_id = response["standard_id"]
except Exception as e:
raise Exception(
f"Failed to download/upload Artifact with hash {hash_value}, exception: {e}"
)
# Create a relationship between the StixFile and the new Artifact
relationship = Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id("relationship"),
relationship_type="related-to",
created_by_ref=self.identity,
source_ref=observable["standard_id"],
target_ref=artifact_id,
allow_custom=True,
)
bundle_objects.append(relationship)
if bundle_objects:
bundle = Bundle(objects=bundle_objects,
allow_custom=True).serialize()
bundles_sent = self.helper.send_stix2_bundle(bundle)
return f"Sent {len(bundles_sent)} stix bundle(s) for worker import"
else:
return "Nothing to attach"
def _generate_stix_bundle(self, country, city, observable_id):
# Generate stix bundle
country_identity = Identity(
name=country.name,
identity_class='group',
custom_properties={
'x_opencti_identity_type': 'country',
'x_opencti_alias': [country.official_name],
}
)
city_identity = Identity(
name=city,
identity_class='group',
custom_properties={
'x_opencti_identity_type': 'city'
}
)
city_to_country = Relationship(
relationship_type='localization',
source_ref=city_identity.id,
target_ref=country_identity.id,
)
observable_to_city = Relationship(
relationship_type='localization',
source_ref=observable_id,
target_ref=city_identity.id,
custom_properties={
'x_opencti_weight': self.helper.connect_confidence_level
}
)
return Bundle(objects=[country_identity, city_identity,
city_to_country, observable_to_city]).serialize()
def _process_message(self, data: Dict) -> str:
file_fetch = data["file_fetch"]
file_uri = self.helper.opencti_url + file_fetch
self.helper.log_info(f"Importing the file {file_uri}")
file_content = self.helper.api.fetch_opencti_file(file_uri)
if data["file_mime"] == "text/xml":
self.helper.log_debug("Stix1 file. Attempting conversion")
initialize_options()
file_content = elevate(file_content)
entity_id = data.get("entity_id", None)
if entity_id:
self.helper.log_debug("Contextual import.")
bundle = parse(file_content)["objects"]
if self._contains_report(bundle):
self.helper.log_debug("Bundle contains report.")
else:
self.helper.log_debug("No Report in Stix file. Updating current report")
bundle = self._update_report(bundle, entity_id)
file_content = Bundle(objects=bundle).serialize()
bundles_sent = self.helper.send_stix2_bundle(file_content)
return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"
def _process_message(self, data: Dict) -> str:
file_fetch = data["file_fetch"]
file_uri = self.helper.opencti_url + file_fetch
# Downloading and saving file to connector
self.helper.log_info("Importing the file " + file_uri)
observable = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"),
key=self.data["simple_observable_key"],
value=self.data["simple_observable_value"],
)
bundle_objects = [observable]
entity_id = data.get("entity_id", None)
report = self.helper.api.report.read(id=entity_id)
report = Report(
id=report["standard_id"],
name=report["name"],
description=report["description"],
published=self.helper.api.stix2.format_date(report["published"]),
report_types=report["report_types"],
object_refs=bundle_objects,
)
bundle_objects.append(report)
# create stix bundle
bundle = Bundle(objects=bundle_objects).serialize()
# send data
self.helper.send_stix2_bundle(bundle=bundle)
return "foo"
def _process_parsed_objects(self, report: Dict, observables: List,
entities: List) -> int:
if len(observables) == 0 and len(entities) == 0:
return 0
report = Report(
id=report["standard_id"],
name=report["name"],
description=report["description"],
published=self.helper.api.stix2.format_date(report["created"]),
report_types=report["report_types"],
object_refs=observables + entities,
)
observables.append(report)
bundles_sent = []
if len(observables) > 0:
bundle = Bundle(objects=observables).serialize()
bundles_sent = self.helper.send_stix2_bundle(
bundle=bundle,
update=True,
)
# len() - 1 because the report update increases the count by one
return len(bundles_sent) - 1
def run(self):
now = datetime.utcfromtimestamp(time.time())
now_time = now.strftime("%Y-%m-%d %H:%M:%S")
friendly_name = f"{self.helper.connect_name} run @ {now_time}"
work_id = self.helper.api.work.initiate_work(self.helper.connect_id,
friendly_name)
bundle_objects = []
for elem in self.data:
sdo = elem["class"](
id=elem["id"],
name=elem["name"],
description=elem["description"],
)
bundle_objects.append(sdo)
# create stix bundle
bundle = Bundle(objects=bundle_objects).serialize()
# send data
self.helper.send_stix2_bundle(
bundle=bundle,
entities_types=self.helper.connect_scope,
update=True,
work_id=work_id,
)
message = "Connector successfully run, storing last_run as " + str(
now_time)
self.helper.api.work.to_processed(work_id, message)
return "Foo"
def make_cti_file(self, stix_objects, bundle_name):
for object in stix_objects:
self.write_amitt_cti_dir(object.type)
# Write the bundle to the amitt-attack directory.
self.write_amitt_file(f"amitt-attack/{object.type}/{object.id}.json", Bundle(object))
self.write_amitt_file(f"amitt-attack/{bundle_name}.json", self.stix_bundle())
def convert(filename, output='output.json'):
count = 0
with open(filename) as json_file:
vList = []
data = json.load(json_file)
print("Loaded the file")
for cves in data['CVE_Items']:
count += 1
# Getting the different fields
name = cves['cve']['CVE_data_meta']['ID']
description = cves['cve']['description']['description_data'][0]["value"]
cdate = cves['publishedDate']
mdate = cves['lastModifiedDate']
creator = cves['cve']['CVE_data_meta']['ASSIGNER']
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(name=name, created=cdate, modified=mdate, description=description)
# Adding the vulnerability to the list of vulnerabilities
vList.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vList)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def _process_message(self, data):
file_fetch = data["file_fetch"]
file_uri = self.helper.opencti_url + file_fetch
file_name = os.path.basename(file_fetch)
entity_id = data["entity_id"]
# Get context
is_context = entity_id is not None and len(entity_id) > 0
if self.helper.get_only_contextual() and not is_context:
raise ValueError(
"No context defined, connector is get_only_contextual true"
)
self.helper.log_info("Importing the file " + file_uri)
# Get the file
file_content = self.helper.api.fetch_opencti_file(file_uri, True)
# Write the file
f = open(file_name, "wb")
f.write(file_content)
f.close()
# Parse
bundle_objects = []
i = 0
parser = iocp.IOC_Parser(None, "pdf", True, "pdfminer", "json")
parsed = parser.parse(file_name)
os.remove(file_name)
if parsed != []:
for file in parsed:
if file != None:
for page in file:
if page != []:
for match in page:
resolved_match = self.resolve_match(match)
if resolved_match:
observable = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key=resolved_match["type"],
value=resolved_match["value"],
x_opencti_create_indicator=self.create_indicator,
)
bundle_objects.append(observable)
i += 1
else:
self.helper.log_error("Could not parse the report!")
if is_context:
entity = self.helper.api.stix_domain_object.read(id=entity_id)
if entity is not None:
if entity["entity_type"] == "Report" and len(bundle_objects) > 0:
report = Report(
id=entity["standard_id"],
name=entity["name"],
description=entity["description"],
published=self.helper.api.stix2.format_date(entity["created"]),
report_types=entity["report_types"],
object_refs=bundle_objects,
)
bundle_objects.append(report)
bundle = Bundle(objects=bundle_objects).serialize()
bundles_sent = self.helper.send_stix2_bundle(bundle)
return "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import"
def build(self) -> Optional[Bundle]:
"""Build Kaspersky YARA rule bundle."""
# Prepare STIX2 bundle objects with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create indicators and add to bundle.
indicators = self._create_indicators()
if not indicators:
log.warning("No indicators for %s", self.yara_rule.name)
return None
bundle_objects.extend(indicators)
# Create object references for the report.
objects = create_object_refs(indicators)
# Create report and add to bundle.
report = self._create_report(objects)
if report is not None:
bundle_objects.append(report)
# XXX: Without allow_custom=True the observable with the custom property
# will cause an unexpected property (x_opencti_score) error.
return Bundle(objects=bundle_objects, allow_custom=True)
def run(self, work_id: str, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run the importation of the article."""
self.work_id = work_id
created = parser.parse(self.article["createdDate"])
# RisIQ API does not always provide the `publishedDate`.
# If it does not exist, take the value of the `createdDate` instead.
published = (
parser.parse(self.article["publishedDate"])
if self.article["publishedDate"] is not None
else created
)
indicators = itertools.chain(
*[
self._process_indicator(indicator)
for indicator in self.article["indicators"]
]
)
indicators = utils.deduplicate(list(indicators))
# Return the initial state if we don't have any indicators.
if not indicators:
self.helper.log_info("No indicator in article, report will not be created.")
return state
self.helper.log_debug(f"Number of indicators: {len(indicators)}")
# Check if all indicators' TLP marking are `TLP_WHITE`.
report_tlp = TLP_WHITE
if TLP_AMBER in [i["object_marking_refs"][0] for i in indicators]:
report_tlp = TLP_AMBER
report = Report(
type="report",
name=self.article.get("title", "RiskIQ Threat Report"),
description=self.article["summary"],
report_types=["threat-report"],
created_by_ref=self.author,
created=created,
published=published,
lang="en",
labels=self.article["tags"],
object_refs=indicators,
object_marking_refs=report_tlp,
external_references=[
{
"source_name": "riskiq",
"url": self.article["link"],
"external_id": self.article["guid"],
}
],
allow_custom=True,
)
self.helper.log_debug(f"[RiskIQ] Report = {report}")
bundle = Bundle(objects=indicators + [report, self.author], allow_custom=True)
self.helper.log_info("[RiskIQ] Sending report STIX2 bundle")
self._send_bundle(bundle)
return self._create_state(created)
def _send_bundle(self, bundle: Bundle) -> None:
serialized_bundle = bundle.serialize()
self.helper.send_stix2_bundle(
serialized_bundle,
work_id=self.work_id,
update=self.update_existing_data,
bypass_split=True,
)
def build(self) -> Bundle:
"""Build actor bundle."""
# Create bundle with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create intrusion sets and add to bundle.
intrusion_sets = self._create_intrusion_sets()
bundle_objects.extend(intrusion_sets)
# Create origin regions and countries and add to bundle.
origin_regions, origin_countries = self._create_origin_regions_and_countries()
bundle_objects.extend(origin_regions)
bundle_objects.extend(origin_countries)
# Intrusion sets originate from regions and add to bundle.
intrusion_sets_originate_from_regions = (
self._create_originates_from_relationships(intrusion_sets, origin_regions)
)
bundle_objects.extend(intrusion_sets_originate_from_regions)
# Intrusion sets originate from countries and add to bundle.
intrusion_sets_originate_from_countries = (
self._create_originates_from_relationships(intrusion_sets, origin_countries)
)
bundle_objects.extend(intrusion_sets_originate_from_countries)
# Create target regions and countries and add to bundle.
target_regions, target_countries = self._create_targeted_regions_and_countries()
bundle_objects.extend(target_regions)
bundle_objects.extend(target_countries)
# Intrusion sets target regions and add to bundle.
intrusion_sets_target_regions = self._create_targets_relationships(
intrusion_sets, target_regions
)
bundle_objects.extend(intrusion_sets_target_regions)
# Intrusion sets target countries and add to bundle.
intrusion_sets_target_countries = self._create_targets_relationships(
intrusion_sets, target_countries
)
bundle_objects.extend(intrusion_sets_target_countries)
# Create target sectors and add to bundle.
target_sectors = self._create_targeted_sectors()
bundle_objects.extend(target_sectors)
# Intrusion sets target sectors, add to bundle.
intrusion_sets_target_sectors = self._create_targets_relationships(
intrusion_sets, target_sectors
)
bundle_objects.extend(intrusion_sets_target_sectors)
return Bundle(objects=bundle_objects)
def _process_hash(self, observable):
hash_value = observable["observable_value"]
artifact_id = None
bundle_objects = []
try:
# Attempt to source the file contents from the hash
bytes_obj = io.BytesIO()
response = self.api_client.download_file(hash_value, bytes_obj)
bytes_obj.seek(0)
file_contents = bytes_obj.read()
mime_type = magic.from_buffer(file_contents, mime=True)
# Upload the file as an Artifact
kwargs = {
"file_name":
hash_value,
"data":
file_contents,
"mime_type":
mime_type,
"x_opencti_description":
f"Downloaded from Virustotal via hash {hash_value}",
}
response = self.helper.api.stix_cyber_observable.upload_artifact(
**kwargs)
self.helper.log_info(response)
artifact_id = response["standard_id"]
except Exception as e:
raise Exception(
f"Failed to download/upload Artifact with hash {hash_value}, exception: {e}"
)
# Create a relationship between the StixFile and the new Artifact
relationship = Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id("relationship"),
relationship_type="related-to",
created_by_ref=self.identity,
source_ref=observable["standard_id"],
target_ref=artifact_id,
allow_custom=True,
)
bundle_objects.append(relationship)
if bundle_objects:
bundle = Bundle(objects=bundle_objects,
allow_custom=True).serialize()
bundles_sent = self.helper.send_stix2_bundle(bundle)
return f"Sent {len(bundles_sent)} stix bundle(s) for worker import"
else:
return "Nothing to attach"
def test_filesystem_object_with_custom_property_in_bundle(fs_store):
camp = Campaign(name="Scipio Africanus",
objective="Defeat the Carthaginians",
x_empire="Roman",
allow_custom=True)
bundle = Bundle(camp, allow_custom=True)
fs_store.add(bundle, allow_custom=True)
camp_r = fs_store.get(camp.id, allow_custom=True)
assert camp_r.id == camp.id
assert camp_r.x_empire == camp.x_empire
def _process_parsed_objects(
self,
entity: Dict,
observables: List,
entities: List,
bypass_validation: bool,
file_name: str,
) -> int:
if len(observables) == 0 and len(entities) == 0:
return 0
if entity is not None and entity["entity_type"] == "Report":
report = Report(
id=entity["standard_id"],
name=entity["name"],
description=entity["description"],
published=self.helper.api.stix2.format_date(entity["created"]),
report_types=entity["report_types"],
object_refs=observables + entities,
allow_custom=True,
)
observables.append(report)
elif entity is not None:
# TODO, relate all object to the entity
entity_stix_bundle = self.helper.api.stix2.export_entity(
entity["entity_type"], entity["id"])
observables = observables + entity_stix_bundle["objects"]
else:
timestamp = int(time.time())
now = datetime.utcfromtimestamp(timestamp)
report = Report(
name=file_name,
description="Automatic import",
published=now,
report_types=["threat-report"],
object_refs=observables + entities,
allow_custom=True,
)
observables.append(report)
bundles_sent = []
if len(observables) > 0:
bundle = Bundle(objects=observables, allow_custom=True).serialize()
bundles_sent = self.helper.send_stix2_bundle(
bundle=bundle,
update=True,
bypass_validation=bypass_validation,
file_name=file_name + ".json",
entity_id=entity["id"] if entity is not None else None,
)
# len() - 1 because the report update increases the count by one
return len(bundles_sent) - 1
def test_memory_store_object_with_custom_property_in_bundle(mem_store):
camp = Campaign(name="Scipio Africanus",
objective="Defeat the Carthaginians",
x_empire="Roman",
allow_custom=True)
bundle = Bundle(camp, allow_custom=True)
mem_store.add(bundle, True)
bundle_r = mem_store.get(bundle.id)
camp_r = bundle_r['objects'][0]
assert camp_r.id == camp.id
assert camp_r.x_empire == camp.x_empire
def test_add_stix2_bundle_object(collection):
tc_sink = TAXIICollectionSink(collection)
# create new STIX threat-actor
ta = ThreatActor(name="Teddy Bear",
labels=["nation-state"],
sophistication="innovator",
resource_level="government",
goals=[
"compromising environment NGOs",
"water-hole attacks geared towards energy sector",
])
tc_sink.add(Bundle(objects=[ta]))
def get_objects(self, **filter_kwargs):
self._verify_can_read()
query_params = _filter_kwargs_to_query_params(filter_kwargs)
if not isinstance(query_params, dict):
query_params = json.loads(query_params)
full_filter = BasicFilter(query_params or {})
objs = full_filter.process_filter(self.objects,
("id", "type", "version"), [])
if objs:
return Bundle(objects=objs)
else:
resp = Response()
resp.status_code = 404
resp.raise_for_status()
def get_object(self, id, version=None):
self._verify_can_read()
query_params = None
if version:
query_params = _filter_kwargs_to_query_params({"version": version})
if query_params:
query_params = json.loads(query_params)
full_filter = BasicFilter(query_params or {})
objs = full_filter.process_filter(self.objects, ("version", ), [])
if objs:
return Bundle(objects=objs)
else:
resp = Response()
resp.status_code = 404
resp.raise_for_status()
def convert(filename, output='output.json'):
# Create the default author
author = Identity(name='The MITRE Corporation',
identity_class='organization')
count = 0
with open(filename) as json_file:
vulnerabilities_bundle = [author]
data = json.load(json_file)
print("Loaded the file")
for cves in data['CVE_Items']:
count += 1
# Get the name
name = cves['cve']['CVE_data_meta']['ID']
# Create external references
external_reference = ExternalReference(
source_name='NIST NVD',
url='https://nvd.nist.gov/vuln/detail/' + name)
external_references = [external_reference]
for reference in cves['cve']['references']['reference_data']:
external_reference = ExternalReference(
source_name=reference['refsource'], url=reference['url'])
external_references.append(external_reference)
# Getting the different fields
description = cves['cve']['description']['description_data'][0][
"value"]
cdate = cves['publishedDate']
mdate = cves['lastModifiedDate']
# Creating the vulnerability with the extracted fields
vuln = Vulnerability(name=name,
created=cdate,
modified=mdate,
description=description,
created_by_ref=author,
external_references=external_references)
# Adding the vulnerability to the list of vulnerabilities
vulnerabilities_bundle.append(vuln)
# Creating the bundle from the list of vulnerabilities
bundle = Bundle(vulnerabilities_bundle)
# Creating a MemoryStore object from the bundle
memorystore = MemoryStore(bundle)
# Dumping this object to a file
memorystore.save_to_file(output)
print("Successfully converted " + str(count) + " vulnerabilities")
def _generate_stix_bundle(self, country, city, loc, observable_id):
# Generate stix bundle
country_location = Location(
id=OpenCTIStix2Utils.generate_random_stix_id("location"),
name=country.name,
country=country.official_name
if hasattr(country, "official_name") else country.name,
custom_properties={
"x_opencti_location_type":
"Country",
"x_opencti_aliases": [
country.official_name
if hasattr(country, "official_name") else country.name
],
},
)
loc_split = loc.split(",")
city_location = Location(
id=OpenCTIStix2Utils.generate_random_stix_id("location"),
name=city,
country=country.official_name
if hasattr(country, "official_name") else country.name,
latitude=loc_split[0],
longitude=loc_split[1],
custom_properties={"x_opencti_location_type": "City"},
)
city_to_country = Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id("relationship"),
relationship_type="located-at",
source_ref=city_location.id,
target_ref=country_location.id,
)
observable_to_city = Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id("relationship"),
relationship_type="located-at",
source_ref=observable_id,
target_ref=city_location.id,
confidence=self.helper.connect_confidence_level,
)
return Bundle(
objects=[
country_location,
city_location,
city_to_country,
observable_to_city,
],
allow_custom=True,
).serialize()
def test_entity_create(entity_class, api_stix, opencti_splitter):
class_data = entity_class.data()
stix_class = entity_class.stix_class()
if stix_class is None:
return
stix_object = stix_class(**class_data)
bundle = Bundle(objects=[stix_object]).serialize()
split_bundle = opencti_splitter.split_bundle(bundle, True, None)[0]
bundles_sent = api_stix.import_bundle_from_json(split_bundle, False, None, 0)
assert len(bundles_sent) == 1
assert bundles_sent[0]["id"] == stix_object["id"]
assert bundles_sent[0]["type"] == stix_object["type"]
entity_class.base_class().delete(id=stix_object["id"])
def build(self) -> Bundle:
"""Build YARA rule bundle."""
# Create bundle with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create intrusion sets and add to bundle.
intrusion_sets = self._create_intrusion_sets()
bundle_objects.extend(intrusion_sets)
# Create malwares and add to bundle.
malwares = self._create_malwares()
bundle_objects.extend(malwares)
# Intrusion sets use malwares and add to bundle.
intrusion_sets_use_malwares = self._create_uses_relationships(
intrusion_sets, malwares)
bundle_objects.extend(intrusion_sets_use_malwares)
# Create indicators and add to bundle.
indicators = self._create_indicators()
bundle_objects.extend(indicators)
# Indicator indicates entities, add to bundle.
indicator_indicates = intrusion_sets + malwares
indicator_indicates_entities = self._create_indicates_relationships(
indicators, indicator_indicates)
bundle_objects.extend(indicator_indicates_entities)
# Create object references for the report.
object_refs = create_object_refs(
intrusion_sets,
malwares,
intrusion_sets_use_malwares,
indicators,
indicator_indicates_entities,
)
# Create reports and add to bundle.
reports = self._create_reports(object_refs)
bundle_objects.extend(reports)
return Bundle(objects=bundle_objects)
def build(self) -> Optional[Bundle]:
"""Build Kaspersky indicator group bundle."""
# Prepare STIX2 bundle objects with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create observations.
observations = self._create_ioc_observations()
if not observations:
log.error("No indicators nor observables for %s",
self.indicator_group)
return None
# Get observables and add to bundle.
observables = [
o.observable for o in observations if o.observable is not None
]
bundle_objects.extend(observables)
# Get indicators and to bundle.
indicators = [
o.indicator for o in observations if o.indicator is not None
]
bundle_objects.extend(indicators)
# Get observation relationships and add to bundle.
indicators_based_on_observables = [
o.relationship for o in observations if o.relationship is not None
]
bundle_objects.extend(indicators_based_on_observables)
# Create object references for the report.
object_refs = create_object_refs(observables, indicators,
indicators_based_on_observables)
# Create report and add to bundle.
report = self._create_report(object_refs)
bundle_objects.append(report)
# XXX: Without allow_custom=True the observable with the custom property
# will cause an unexpected property (x_opencti_score) error.
return Bundle(objects=bundle_objects, allow_custom=True)
def handler(q=False):
if q is False:
return False
request = json.loads(q)
pp = pprint.PrettyPrinter(indent=4)
pp.pprint(request)
if "config" in request:
config = request['config']
else:
config = {"indent_json_export": None}
if config['indent_json_export'] is not None:
try:
config['indent_json_export'] = int(config['indent_json_export'])
except:
config['indent_json_export'] = None
if 'data' not in request:
return False
iocList = []
for event in request['data']:
for attribute in event["Attribute"]:
ioc_type = attribute["type"]
ioc_value = attribute["value"]
scan_results = attribute["comment"]
ioc = create_indicator(ioc_type, ioc_value, scan_results)
iocList.append(ioc)
bundle = Bundle(iocList)
print(bundle)
return {'response': [],
'data': str(base64.b64encode(bytes(str(bundle), 'utf-8')), 'utf-8')}
return r
