def create_object(self, cybox_object, observable, user, tlp_id,
is_indicator, seen_conditions):
ce1sus_object = Object()
ce1sus_object.tlp_level_id = tlp_id
set_properties(ce1sus_object)
# Create the container
ce1sus_object.observable = observable
if hasattr(cybox_object, 'id'):
ce1sus_object.uuid = extract_uuid(cybox_object.id)
elif hasattr(cybox_object, 'id_'):
ce1sus_object.uuid = extract_uuid(cybox_object.id_)
else:
# unfortenatley one must be generated
ce1sus_object.uuid = uuid4()
if cybox_object.properties:
ce1sus_object.definition = self.get_object_definition(
cybox_object.properties)
attributes = self.create_attributes(cybox_object.properties,
ce1sus_object, tlp_id,
is_indicator, seen_conditions)
else:
raise CyboxMapperException('No properties found')
set_extended_logging(ce1sus_object, user, user.group)
# Create attributes
if cybox_object.related_objects:
for related_object in cybox_object.related_objects:
rel_obj = RelatedObject()
rel_obj.parent = ce1sus_object
rel_obj.relation = related_object.relationship
rel_obj.object = self.create_object(related_object, observable,
user, tlp_id, is_indicator,
seen_conditions)
if rel_obj.object:
rel_obj.object.parent = None
rel_obj.object.parent_id = None
ce1sus_object.related_objects.append(rel_obj)
if attributes or ce1sus_object.related_objects:
if attributes:
for attribute in attributes:
set_extended_logging(attribute, user, user.group)
ce1sus_object.attributes = attributes
return ce1sus_object
else:
return None
def __convert_info_soucre(self, info_source):
if info_source and info_source.identity:
identity = info_source.identity
identifier = None
if identity.id_:
identifier = extract_uuid(identity.id_)
# check if group exits
# Only based on the name as the id can vary
if not identity.name:
identity.name = 'Default'
group = self.groups.get(identity.name, None)
if group:
return group
else:
group = Group()
if identifier:
group.uuid = identifier
else:
# Unfortenately we must create our own
group.uuid = uuid4()
group.name = identity.name
group.description = u'Auto-generated from STIX'
group.tlp_lvl = 3
self.group_broker.insert(group, False)
self.groups[group.name] = group
return group
else:
return None
def create_observable(self,
observable,
event,
user,
tlp_id,
is_indicator=False,
seen_conditions=None):
if observable.idref:
return None
if not seen_conditions:
seen_conditions = dict()
ce1sus_observable = Observable()
ce1sus_observable.tlp_level_id = tlp_id
set_properties(ce1sus_observable)
if observable.id_:
ce1sus_observable.uuid = extract_uuid(observable.id_)
set_extended_logging(ce1sus_observable, user, user.group)
ce1sus_observable.event = event
ce1sus_observable.parent = event
# an observable has either a composition or a single object
if observable.observable_composition:
composition = ObservableComposition()
composition.operator = observable.observable_composition.operator
for child in observable.observable_composition.observables:
child_observable = self.create_observable(
child, event, user, tlp_id, is_indicator, seen_conditions)
# As the observable is not on the root level remove the link to the parent
if child_observable:
child_observable.event = None
composition.observables.append(child_observable)
ce1sus_observable.observable_composition = composition
return ce1sus_observable
else:
ce1sus_observable.uuid = extract_uuid(observable.id_)
# create a cybox object
obj = self.create_object(observable.object_, ce1sus_observable,
user, tlp_id, is_indicator,
seen_conditions)
ce1sus_observable.object = obj
# TODO
if obj:
return ce1sus_observable
else:
return None
def create_indicator(self, indicator, event, user):
ce1sus_indicator = Indicator()
set_properties(ce1sus_indicator)
if indicator.id_:
ce1sus_indicator.uuid = extract_uuid(indicator.id_)
else:
ce1sus_indicator.uuid = uuid4()
ce1sus_indicator.title = indicator.title
ce1sus_indicator.description = indicator.description
ce1sus_indicator.originating_group = self.__convert_info_soucre(
indicator.producer)
# TODO: Check if condifdence is in the supported range like Low Hiogh medium or even numbers?!
ce1sus_indicator.confidence = indicator.confidence
sightings = self.__convert_sightings(indicator.sightings, user)
if sightings:
ce1sus_indicator.sightings = sightings
# TODO: Add indicator types
# TODO: markings
if indicator.kill_chain_phases:
# TODO: Kill Chains
pass
# Note observable is actually observables[0]
if indicator.observables:
tlp_id = self.get_tlp_id_from_markings(indicator)
if tlp_id is None:
tlp_id = event.tlp_level_id
for observable in indicator.observables:
observable = self.cybox_mapper.create_observable(
observable, event, user, tlp_id, True)
if observable:
observable.event = None
observable.event_id = None
ce1sus_indicator.observables.append(observable)
set_extended_logging(ce1sus_indicator, user, user.group)
return ce1sus_indicator
def __map_stix_package_header(self, stix_package, user):
self.init()
self.cybox_mapper.init()
event = Event()
event.uuid = extract_uuid(stix_package.id_)
# event.uuid = stix_package.id_[-36:]
stix_header = stix_package.stix_header
event.title = stix_header.title
if not event.title:
event.title = stix_header.short_description
if not event.title:
event.title = stix_header.description
if not event.title:
event.title = 'Generated via STIX - No title'
info_source = stix_header.information_source
event.description = stix_header.description
if info_source:
# set information source
set_extended_logging(event, user,
self.__convert_info_soucre(info_source))
if isinstance(stix_header.handling, Marking):
# set tlp markings if available
for specification in stix_header.handling._markings:
for structure in specification.marking_structures:
if isinstance(structure, TLPMarkingStructure):
# TODO: set desrcption with reference
event.tlp = structure.color.title()
if not event.tlp_level_id:
event.tlp = 'White'
# first and last seen
if stix_header.information_source:
# TODO review this
time = stix_header.information_source.time
event.created_at = time.produced_time.value
if time.received_time:
event.modified_on = time.received_time.value
else:
event.modified_on = event.created_at
event.first_seen = time.start_time
event.last_seen = time.end_time
else:
# if these values were not set use now
event.created_at = datetime.utcnow()
event.modified_on = datetime.utcnow()
event.first_seen = datetime.utcnow()
event.last_seen = datetime.utcnow()
# TODO find a way to add this in stix / read it out
event.status = 'Confirmed'
event.analysis = 'Unknown'
event.risk = 'Undefined'
event.properties.is_shareable = True
event.properties.is_rest_instert = True
if not event.first_seen:
event.first_seen = event.created_at
if not event.last_seen:
event.last_seen = event.modified_on
return event