def main():
alpha_package = STIXPackage()
alpha_package.stix_header = STIXHeader()
alpha_package.stix_header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_package.stix_header.package_intents = "Campaign Characterization"
alpha_package.stix_header.handling = Marking()
alpha_marking = MarkingSpecification()
alpha_marking.controlled_structure = "../../../../node()"
alpha_tlp_marking = TLPMarkingStructure()
alpha_tlp_marking.color = "AMBER"
alpha_marking.marking_structures.append(alpha_tlp_marking)
alpha_package.stix_header.handling.add_marking(alpha_marking)
rat_package = STIXPackage()
rat_package.stix_header = STIXHeader()
rat_package.stix_header.title = "Indicators for Malware DrownedRat"
rat_package.stix_header.package_intents = "Indicators - Malware Artifacts"
rat_package.stix_header.handling = Marking()
rat_marking = MarkingSpecification()
rat_marking.controlled_structure = "../../../../node()"
rat_tlp_marking = TLPMarkingStructure()
rat_tlp_marking.color = "RED"
alpha_marking.marking_structures.append(rat_tlp_marking)
rat_package.stix_header.handling.add_marking(rat_marking)
stix_package = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
stix_package.stix_header = STIXHeader(information_source=info_src)
stix_package.related_packages.append(alpha_package)
stix_package.related_packages.append(rat_package)
print stix_package.to_xml()
def set_received_time(self, received_time):
"""Sets the received time for this :class:`Indicator`.
This is the same as calling
``indicator.producer.time.produced_time = produced_time``.
The `received_time` parameter must be an instance of ``str``,
``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``.
Args:
received_time: An instance of ``str``,
``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``.
Note:
If `received_time` is a ``str`` or ``datetime.datetime`` instance
an attempt will be made to convert it into an instance of
``cybox.common.DateTimeWithPrecision``.
"""
if not self.producer:
self.producer = InformationSource()
if not self.producer.time:
self.producer.time = Time()
self.producer.time.received_time = received_time
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.time = Time.from_dict(dict_repr.get('time'))
return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])]
return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])]
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents'))
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps'))
return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])]
return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])]
return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter'))
return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])]
return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])]
return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])]
return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])]
return return_obj
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign.id_))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp.id_))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print(wrapper.to_xml())
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign._id))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp._id))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print wrapper.to_xml()
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("IP Watchlist")
for key in mydata["IOC"].keys():
myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
myip.condition = "Equals"
obsu = Observable(myip)
#if mydata[key].size:
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
myip.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.time = Time.from_obj(obj.Time)
if obj.Victim:
return_obj.victims = [Identity.from_obj(x) for x in obj.Victim]
if obj.Categories:
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category]
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
if obj.Affected_Assets:
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset]
if obj.Discovery_Method:
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method]
if obj.Reporter:
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
if obj.Responder:
return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder]
if obj.Coordinator:
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator]
if obj.External_ID:
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID]
if obj.Impact_Assessment:
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
if obj.Information_Source:
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
if obj.Security_Compromise:
return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise)
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken]
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return return_obj
def add_analyst_item(analyst_item, incident):
insrc = InformationSource()
analyst_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
analyst_identity.specification = identity_spec
if analyst_item:
partyName = PartyName()
partyName.add_name_line(analyst_item)
identity_spec.party_name = partyName
insrc.identity = analyst_identity
incident.reporter = insrc
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.time = Time.from_obj(obj.Time)
if obj.Victim:
return_obj.victims = [Identity.from_obj(x) for x in obj.Victim]
if obj.Categories:
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category]
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
if obj.Affected_Assets:
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset]
if obj.Discovery_Method:
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method]
if obj.Reporter:
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
if obj.Responder:
return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder]
if obj.Coordinator:
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator]
if obj.External_ID:
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID]
if obj.Impact_Assessment:
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
if obj.Information_Source:
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
if obj.Security_Compromise:
return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise)
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken]
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.time = Time.from_obj(obj.get_Time())
if obj.get_Victim():
return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()]
if obj.get_Categories():
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()]
if obj.get_Intended_Effect():
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
if obj.get_Affected_Assets():
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()]
if obj.get_Discovery_Method():
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()]
if obj.get_Reporter():
return_obj.reporter = InformationSource.from_obj(obj.get_Reporter())
if obj.get_Responder():
return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()]
if obj.get_Coordinator():
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()]
if obj.get_External_ID():
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()]
if obj.get_Impact_Assessment():
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment())
if obj.get_Information_Source():
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
if obj.get_Security_Compromise():
return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise())
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()]
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors())
return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables())
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs())
return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents())
return_obj.status = VocabString.from_obj(obj.get_Status())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.history = History.from_obj(obj.get_History())
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Indicator, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.negate = get('negate')
return_obj.alternative_id = get('alternative_id')
return_obj.indicated_ttps = _IndicatedTTPs.from_dict(get('indicated_ttps'))
return_obj.test_mechanisms = TestMechanisms.from_list(get('test_mechanisms'))
return_obj.suggested_coas = SuggestedCOAs.from_dict(get('suggested_coas'))
return_obj.sightings = Sightings.from_dict(get('sightings'))
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(get('composite_indicator_expression'))
return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(get('kill_chain_phases'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.likely_impact = Statement.from_dict(get('likely_impact'))
return_obj.indicator_types = IndicatorTypes.from_list(get('indicator_types'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.valid_time_positions = _ValidTimePositions.from_dict(get('valid_time_positions'))
return_obj.observable = Observable.from_dict(get('observable'))
return_obj.producer = InformationSource.from_dict(get('producer'))
return_obj.related_campaigns = RelatedCampaignRefs.from_dict(get('related_campaigns'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def main():
# Create a new STIXPackage
stix_package = STIXPackage()
# Create a new STIXHeader
stix_header = STIXHeader()
# Add Information Source. This is where we will add the tool information.
stix_header.information_source = InformationSource()
# Create a ToolInformation object. Use the initialization parameters
# to set the tool and vendor names.
#
# Note: This is an instance of cybox.common.ToolInformation and NOT
# stix.common.ToolInformation.
tool = ToolInformation(tool_name="python-stix",
tool_vendor="The MITRE Corporation")
# Set the Information Source "tools" section to a
# cybox.common.ToolInformationList which contains our tool that we
# created above.
stix_header.information_source.tools = ToolInformationList(tool)
# Set the header description
stix_header.description = "Example"
# Set the STIXPackage header
stix_package.stix_header = stix_header
# Print the XML!
print(stix_package.to_xml())
# Print the dictionary!
pprint(stix_package.to_dict())
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.get_version() if obj.get_version() else cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()]
return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()]
return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()]
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs())
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns())
return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def main():
rule = """
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
"""
stix_package = STIXPackage()
indicator = Indicator(title="silent_banker",
description="This is just an example")
tm = YaraTestMechanism()
tm.rule = rule
tm.producer = InformationSource(identity=Identity(name="Yara"))
tm.producer.references = ["http://plusvic.github.io/yara/"]
indicator.test_mechanisms = TestMechanisms([tm])
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp() # not yet implemented
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.potential_coas = PotentialCOAs.from_obj(obj.get_Potential_COAs())
return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.get_Related_Exploit_Targets())
return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.get_Vulnerability()]
return_obj.weaknesses = [Weakness.from_obj(x) for x in obj.get_Weakness()]
return_obj.configuration = [Configuration.from_obj(x) for x in obj.get_Configuration()]
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.behavior = Behavior.from_obj(obj.get_Behavior())
return_obj.related_ttps = RelatedTTPs.from_obj(
obj.get_Related_TTPs())
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.get_Exploit_Targets())
return_obj.information_source = InformationSource.from_obj(
obj.get_Information_Source())
return_obj.resources = Resource.from_obj(obj.get_Resources())
return_obj.victim_targeting = VictimTargeting.from_obj(
obj.get_Victim_Targeting())
if obj.get_Intended_Effect():
return_obj.intended_effects = [
Statement.from_obj(x) for x in obj.get_Intended_Effect()
]
return return_obj
def from_obj(cls, obj, return_obj=None):
from stix.common import StructuredTextList, InformationSource
from stix.data_marking import Marking
if not return_obj:
raise ValueError("Must provide a return_obj argument")
if not obj:
raise ValueError("Must provide an obj argument")
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# These may not be found on the input obj if it isn't a full
# type definition (e.g., used as a reference)
return_obj.version = getattr(obj, 'version', None)
return_obj.title = getattr(obj, 'Title', None)
return_obj.descriptions = \
StructuredTextList.from_obj(getattr(obj, 'Description', None))
return_obj.short_descriptions = \
StructuredTextList.from_obj(getattr(obj, 'Short_Description', None))
return_obj.information_source = \
InformationSource.from_obj(getattr(obj, 'Information_Source', None))
return_obj.handling = \
Marking.from_obj(getattr(obj, 'Handling', None))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.time = Time.from_obj(obj.Time)
return_obj.victims = _Victims.from_obj(obj.Victim)
return_obj.categories = IncidentCategories.from_obj(obj.Categories)
return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets)
return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method)
return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken)
return_obj.coa_requested = _COAsRequested.from_obj(obj.COA_Requested)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.history = History.from_obj(obj.History)
return_obj.responders = _InformationSources.from_obj(obj.Responder)
return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator)
return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID)
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Indicator, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.negate = obj.negate
return_obj.producer = InformationSource.from_obj(obj.Producer)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.sightings = Sightings.from_obj(obj.Sightings)
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.Composite_Indicator_Expression)
return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.Kill_Chain_Phases)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.likely_impact = Statement.from_obj(obj.Likely_Impact)
return_obj.indicator_types = IndicatorTypes.from_obj(obj.Type)
return_obj.test_mechanisms = TestMechanisms.from_obj(obj.Test_Mechanisms)
return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.Suggested_COAs)
return_obj.alternative_id = obj.Alternative_ID
return_obj.indicated_ttps = _IndicatedTTPs.from_obj(obj.Indicated_TTP)
return_obj.valid_time_positions = _ValidTimePositions.from_obj(obj.Valid_Time_Position)
return_obj.observable = Observable.from_obj(obj.Observable)
return_obj.related_campaigns = RelatedCampaignRefs.from_obj(obj.Related_Campaigns)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def set_received_time(self, received_time):
"""Sets the received time for this :class:`Indicator`.
This is the same as calling
``indicator.producer.time.produced_time = produced_time``.
The `received_time` parameter must be an instance of ``str``,
``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``.
Args:
received_time: An instance of ``str``,
``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``.
Note:
If `received_time` is a ``str`` or ``datetime.datetime`` instance
an attempt will be made to convert it into an instance of
``cybox.common.DateTimeWithPrecision``.
"""
if not self.producer:
self.producer = InformationSource()
if not self.producer.time:
self.producer.time = Time()
self.producer.time.received_time = received_time
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.title = dict_repr.get('title')
observable_dict = dict_repr.get('observable')
producer_dict = dict_repr.get('producer')
description_dict = dict_repr.get('description')
indicator_type_dict = dict_repr.get('indicator_type')
if observable_dict:
return_obj.add_observable(Observable.from_dict(observable_dict))
if producer_dict:
return_obj.producer = InformationSource.from_dict(producer_dict)
if description_dict:
return_obj.description = StructuredText.from_dict(description_dict)
if indicator_type_dict:
return_obj.indicator_type = IndicatorType.from_dict(
indicator_type_dict)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp() # not yet implemented
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.potential_coas = PotentialCOAs.from_obj(obj.get_Potential_COAs())
return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.get_Related_Exploit_Targets())
return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.get_Vulnerability()]
return_obj.weakness = [Weakness.from_obj(x) for x in obj.get_Weakness()]
return_obj.configuration = [Configuration.from_obj(x) for x in obj.get_Configuration()]
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.time = Time.from_dict(get('time'))
return_obj.victims = _Victims.from_dict(get('victims'))
return_obj.categories = IncidentCategories.from_dict(get('categories'))
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents'))
return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects'))
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps'))
return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets'))
return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods'))
return_obj.reporter = InformationSource.from_dict(get('reporter'))
return_obj.responders = _InformationSources.from_dict(get('responders'))
return_obj.coordinators = _InformationSources.from_dict(get('coordinators'))
return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids'))
return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment'))
return_obj.security_compromise = VocabString.from_dict(get('security_compromise'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken'))
return_obj.coa_requested = _COAsRequested.from_dict(get('coa_requested'))
return_obj.status = VocabString.from_dict(get('status'))
return_obj.history = History.from_dict(get('history'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.time = Time.from_obj(obj.Time)
return_obj.victims = _Victims.from_obj(obj.Victim)
return_obj.categories = IncidentCategories.from_obj(obj.Categories)
return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets)
return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method)
return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return_obj.responders = _InformationSources.from_obj(obj.Responder)
return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator)
return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID)
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise)
return return_obj
def create_indicator(self, ce1sus_indicator, event_permissions, user):
indicator = Indicator()
indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
indicator.title = ce1sus_indicator.title
indicator.description = ce1sus_indicator.description
indicator.short_description = ce1sus_indicator.short_description
if ce1sus_indicator.confidence:
indicator.confidence = ce1sus_indicator.confidence.title()
else:
indicator.confidence = 'Low'
# TODO: handling
# TODO: markings
for type_ in ce1sus_indicator.types:
indicator.add_indicator_type(type_.name)
if ce1sus_indicator.operator:
indicator.observable_composition_operator = ce1sus_indicator.operator
# Todo Add confidence
# indicator_attachment.confidence = "Low"
creator = self.create_stix_identity(ce1sus_indicator)
time = self.cybox_mapper.get_time(
produced_time=ce1sus_indicator.created_at)
info_source = InformationSource(identity=creator, time=time)
indicator.producer = info_source
observables = ce1sus_indicator.get_observables_for_permissions(
event_permissions, user)
for obs in observables:
cybox_obs = self.create_observable(obs, event_permissions, user)
indicator.add_observable(cybox_obs)
valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
end_time=ce1sus_indicator.created_at)
indicator.add_valid_time_position(valid_time)
return indicator
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.time = Time.from_dict(get('time'))
return_obj.victims = _Victims.from_dict(get('victims'))
return_obj.categories = IncidentCategories.from_dict(get('categories'))
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents'))
return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects'))
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps'))
return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets'))
return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods'))
return_obj.reporter = InformationSource.from_dict(get('reporter'))
return_obj.responders = _InformationSources.from_dict(get('responders'))
return_obj.coordinators = _InformationSources.from_dict(get('coordinators'))
return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids'))
return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment'))
return_obj.security_compromise = VocabString.from_dict(get('security_compromise'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken'))
return_obj.status = VocabString.from_dict(get('status'))
return_obj.handling = Marking.from_dict(get('handling'))
return_obj.history = History.from_dict(get('history'))
return return_obj
def stix_xml(bldata):
# Create the STIX Package and Header objects
stix_package = STIXPackage()
stix_header = STIXHeader()
# Set the description
stix_header.description = "RiskIQ Blacklist Data - STIX Format"
# Set the namespace
NAMESPACE = {"http://www.riskiq.com": "RiskIQ"}
set_id_namespace(NAMESPACE)
# Set the produced time to now
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
# Create the STIX Package
stix_package = STIXPackage()
# Build document
stix_package.stix_header = stix_header
# Build the Package Intent
stix_header.package_intents.append(PackageIntent.TERM_INDICATORS)
# Build the indicator
indicator = Indicator()
indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam"
indicator.add_indicator_type("URL Watchlist")
for datum in bldata:
url = URI()
url.value = ""
url.value = datum['url']
url.type_ = URI.TYPE_URL
url.condition = "Equals"
indicator.add_observable(url)
stix_package.add_indicator(indicator)
return stix_package.to_xml()
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp # not yet implemented
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.potential_coas = PotentialCOAs.from_obj(obj.Potential_COAs)
return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.Related_Exploit_Targets)
return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.Vulnerability]
return_obj.weaknesses = [Weakness.from_obj(x) for x in obj.Weakness]
return_obj.configuration = [Configuration.from_obj(x) for x in obj.Configuration]
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def main():
ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc')
stix_package = STIXPackage()
ttp = TTP()
malware_instance = MalwareInstance()
malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos']
ttp = TTP(title="Zeus")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos")
tm = OpenIOCTestMechanism()
tm.ioc = ioc
tm.producer = InformationSource(identity=Identity(name="Yara"))
time = Time()
time.produced_time = "0001-01-01T00:00:00"
tm.producer.time = time
tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(
dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(
dict_repr.get('short_description'))
return_obj.behavior = Behavior.from_dict(dict_repr.get('behavior'))
return_obj.related_ttps = RelatedTTPs.from_dict(
dict_repr.get('related_ttps'))
return_obj.exploit_targets = ExploitTargets.from_dict(
dict_repr.get('exploit_targets'))
return_obj.information_source = InformationSource.from_dict(
dict_repr.get('information_source'))
return_obj.intended_effects = [
Statement.from_dict(x)
for x in dict_repr.get('intended_effects', [])
]
return_obj.resources = Resource.from_dict(dict_repr.get('resources'))
return_obj.victim_targeting = VictimTargeting.from_dict(
dict_repr.get('victim_targeting'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(
obj.Short_Description)
return_obj.behavior = Behavior.from_obj(obj.Behavior)
return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs)
return_obj.exploit_targets = ExploitTargets.from_obj(
obj.Exploit_Targets)
return_obj.information_source = InformationSource.from_obj(
obj.Information_Source)
return_obj.resources = Resource.from_obj(obj.Resources)
return_obj.victim_targeting = VictimTargeting.from_obj(
obj.Victim_Targeting)
return_obj.handling = Marking.from_obj(obj.Handling)
if obj.Intended_Effect:
return_obj.intended_effects = [
Statement.from_obj(x) for x in obj.Intended_Effect
]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.behavior = Behavior.from_obj(obj.Behavior)
return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs)
return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.resources = Resource.from_obj(obj.Resources)
return_obj.victim_targeting = VictimTargeting.from_obj(obj.Victim_Targeting)
return_obj.handling = Marking.from_obj(obj.Handling)
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.stage = VocabString.from_dict(dict_repr.get('stage'))
return_obj.type_ = VocabString.from_dict(dict_repr.get('type'))
return_obj.description = StructuredText.from_dict(
dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(
dict_repr.get('short_description'))
return_obj.objective = Objective.from_dict(dict_repr.get('objective'))
return_obj.parameter_observables = \
Observables.from_dict(dict_repr.get('parameter_observables'))
return_obj.impact = Statement.from_dict(dict_repr.get('impact'))
return_obj.cost = Statement.from_dict(dict_repr.get('cost'))
return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy'))
return_obj.information_source = InformationSource.from_dict(
dict_repr.get('information_source'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.related_coas = \
RelatedCOAs.from_dict(dict_repr.get('related_coas'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])]
return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])]
return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])]
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.planning_and_operational_supports = [Statement.from_dict(x)
for x in dict_repr.get('planning_and_operational_supports', [])]
return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp() # not yet implemented
if isinstance(obj, cls._binding_class): # TTPType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.behavior = Behavior.from_obj(obj.get_Behavior())
return_obj.related_ttps = RelatedTTPs.from_obj(obj.get_Related_TTPs())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.resources = Resource.from_obj(obj.get_Resources())
return_obj.victim_targeting = VictimTargeting.from_obj(obj.get_Victim_Targeting())
if obj.get_Intended_Effect():
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.title = dict_repr.get('title')
observable_dict = dict_repr.get('observable')
producer_dict = dict_repr.get('producer')
description_dict = dict_repr.get('description')
indicator_type_dict = dict_repr.get('indicator_type')
if observable_dict:
return_obj.add_observable(Observable.from_dict(observable_dict))
if producer_dict:
return_obj.producer = InformationSource.from_dict(producer_dict)
if description_dict:
return_obj.description = StructuredText.from_dict(description_dict)
if indicator_type_dict:
return_obj.indicator_type = IndicatorType.from_dict(indicator_type_dict)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.stage = VocabString.from_obj(obj.Stage)
return_obj.type_ = VocabString.from_obj(obj.Type)
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.objective = Objective.from_obj(obj.Objective)
return_obj.parameter_observables = \
Observables.from_obj(obj.Parameter_Observables)
return_obj.impact = Statement.from_obj(obj.Impact)
return_obj.cost = Statement.from_obj(obj.Cost)
return_obj.efficacy = Statement.from_obj(obj.Efficacy)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.Related_COAs)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.stage = VocabString.from_dict(dict_repr.get('stage'))
return_obj.type_ = VocabString.from_dict(dict_repr.get('type'))
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.objective = Objective.from_dict(dict_repr.get('objective'))
return_obj.parameter_observables = \
Observables.from_dict(dict_repr.get('parameter_observables'))
return_obj.impact = Statement.from_dict(dict_repr.get('impact'))
return_obj.cost = Statement.from_dict(dict_repr.get('cost'))
return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.related_coas = \
RelatedCOAs.from_dict(dict_repr.get('related_coas'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj,
cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.stage = VocabString.from_obj(obj.get_Stage())
return_obj.type_ = VocabString.from_obj(obj.get_Type())
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.objective = Objective.from_obj(obj.get_Objective())
return_obj.parameter_observables = \
Observables.from_obj(obj.get_Parameter_Observables())
return_obj.impact = Statement.from_obj(obj.get_Impact())
return_obj.cost = Statement.from_obj(obj.get_Cost())
return_obj.efficacy = Statement.from_obj(obj.get_Efficacy())
return_obj.information_source = InformationSource.from_obj(
obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.get_Related_COAs())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # CourseOfActionType properties
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.stage = VocabString.from_obj(obj.get_Stage())
return_obj.type_ = VocabString.from_obj(obj.get_Type())
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.objective = Objective.from_obj(obj.get_Objective())
return_obj.parameter_observables = \
Observables.from_obj(obj.get_Parameter_Observables())
return_obj.impact = Statement.from_obj(obj.get_Impact())
return_obj.cost = Statement.from_obj(obj.get_Cost())
return_obj.efficacy = Statement.from_obj(obj.get_Efficacy())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_coas = \
RelatedCOAs.from_obj(obj.get_Related_COAs())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = [Statement.from_obj(x) for x in obj.Type]
return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation]
return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication]
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def set_producer_identity(self, identity):
'''
Sets the name of the producer of this indicator.
The identity param can be a string (name) or an Identity
instance.
'''
if not self.producer:
self.producer = InformationSource()
if isinstance(identity, Identity):
self.producer.identity = identity
else:
if not self.producer.identity:
self.producer.identity = Identity()
self.producer.identity.name = identity # assume it's a string
def from_obj(cls, obj, return_obj=None):
from stix.common import StructuredTextList, InformationSource
from stix.data_marking import Marking
if not return_obj:
raise ValueError("Must provide a return_obj argument")
if not obj:
raise ValueError("Must provide an obj argument")
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
# These may not be found on the input obj if it isn't a full
# type definition (e.g., used as a reference)
return_obj.version = getattr(obj, 'version', None)
return_obj.title = getattr(obj, 'Title', None)
return_obj.descriptions = \
StructuredTextList.from_obj(getattr(obj, 'Description', None))
return_obj.short_descriptions = \
StructuredTextList.from_obj(getattr(obj, 'Short_Description', None))
return_obj.information_source = \
InformationSource.from_obj(getattr(obj, 'Information_Source', None))
return_obj.handling = \
Marking.from_obj(getattr(obj, 'Handling', None))
return return_obj
def _add_header(self, stix_package, title, desc):
stix_header = STIXHeader()
stix_header.title = title
stix_header.description = desc
stix_header.information_source = InformationSource()
stix_header.information_source.time = CyboxTime()
stix_header.information_source.time.produced_time = datetime.now().isoformat()
stix_package.stix_header = stix_header
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(identity=Identity(
name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def set_producer_identity(self, identity):
"""Sets the name of the producer of this indicator.
This is the same as calling
``indicator.producer.identity.name = identity``.
If the ``producer`` property is ``None``, it will be initialized to
an instance of
:class:`stix.common.information_source.InformationSource`.
If the ``identity`` property of the ``producer`` instance is ``None``,
it will be initialized to an instance of
:class:`stix.common.identity.Identity`.
Note:
if the `identity` parameter is not an instance
:class:`stix.common.identity.Identity` an attempt will be made
to convert it to one.
Args:
identity: An instance of ``str`` or
``stix.common.identity.Identity``.
"""
def unset_producer_identity():
try:
self.producer.identity.name = None
except AttributeError:
pass
if not identity:
unset_producer_identity()
return
if not self.producer:
self.producer = InformationSource()
if isinstance(identity, Identity):
self.producer.identity = identity
return
if not self.producer.identity:
self.producer.identity = Identity()
self.producer.identity.name = str(identity)
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
print("confidence set to %s"%(str(breach.confidence.value)))
breach._binding_class.xml_type = typeIncident
print("incident set to %s"%(str(breach._binding_class.xml_type)))
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Company Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.package_intent = obj.get_PackageIntent()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.information_source = InformationSource.from_obj(obj.get_InformationSource())
return return_obj
def add_information_source_items(reference_item, source_id_item, schema_version_item, incident):
insrc = InformationSource()
if reference_item:
for item in reference_item.split(';'):
insrc.add_reference(item.strip())
if source_id_item or schema_version_item:
insrc.tools = ToolInformationList()
if source_id_item:
insrc.identity = Identity()
insrc.identity.name = source_id_item
tool = ToolInformation()
tool.name = "veris2stix"
tool.vendor = "MITRE"
tool.version = __version__
insrc.tools.append(tool)
if schema_version_item:
tool = ToolInformation()
tool.name = "VERIS schema"
tool.vendor = "Verizon"
tool.version = schema_version_item
insrc.tools.append(tool)
incident.information_source = insrc
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.time = Time.from_dict(dict_repr.get('time'))
return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])]
return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])]
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents'))
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps'))
return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])]
return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])]
return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter'))
return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])]
return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])]
return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])]
return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])]
return_obj.status = VocabString.from_dict(dict_repr.get('status'))
return_obj.handling = Marking.from_obj(dict_repr.get('handling'))
return_obj.history = History.from_dict(dict_repr.get('history'))
return return_obj
def from_dict(cls, d, return_obj=None):
if not d:
return None
if return_obj is None:
return_obj = cls()
return_obj.timestamp = d.get('timestamp')
return_obj.timestamp_precision = d.get('timestamp_precision')
return_obj.source = InformationSource.from_dict(d.get('source'))
return_obj.reference = d.get('reference')
return_obj.confidence = Confidence.from_dict(d.get('confidence'))
return_obj.description = StructuredText.from_dict(d.get('description'))
return_obj.related_observables = RelatedObservables.from_dict(d.get('related_observables'))
return return_obj
def _observable_to_indicator_stix(observable):
"""Translate a CybOX Observable into a STIX Indicator.
Args:
observable: Observable object that will be translated
Returns:
Indicator object with STIX utility and CybOX tags
"""
# Build STIX tool content
tool = ToolInformation(tool_name='OpenIOC to STIX Utility')
tool.version = version.__version__
# Build Indicator.producer contents
producer = InformationSource()
producer.tools = ToolInformationList(tool)
# Build Indicator
indicator = Indicator(title="CybOX-represented Indicator Created from OpenIOC File")
indicator.producer = producer
indicator.add_observable(observable)
return indicator
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.version = obj.version
return_obj.controlled_structure = obj.Controlled_Structure
return_obj.marking_structures = _MarkingStructures.from_obj(obj.Marking_Structure)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(
dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(
dict_repr.get('short_description'))
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.types = [
Statement.from_dict(x) for x in dict_repr.get('types', [])
]
return_obj.motivations = [
Statement.from_dict(x) for x in dict_repr.get('motivations', [])
]
return_obj.sophistications = [
Statement.from_dict(x)
for x in dict_repr.get('sophistications', [])
]
return_obj.intended_effects = [
Statement.from_dict(x)
for x in dict_repr.get('intended_effects', [])
]
return_obj.planning_and_operational_supports = [
Statement.from_dict(x)
for x in dict_repr.get('planning_and_operational_supports', [])
]
return_obj.observed_ttps = ObservedTTPs.from_dict(
dict_repr.get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(
dict_repr.get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(
dict_repr.get('associated_actors'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.confidence = Confidence.from_dict(
dict_repr.get('confidence'))
return_obj.information_source = InformationSource.from_dict(
dict_repr.get('information_source'))
return_obj.related_packages = RelatedPackageRefs.from_dict(
dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if return_obj is None:
return_obj = cls()
return_obj.timestamp = obj.get_timestamp()
return_obj.timestamp_precision = obj.get_timestamp_precision()
return_obj.source = InformationSource.from_obj(obj.get_Source())
return_obj.refernce = obj.get_Reference()
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.title = obj.Title
return_obj.descriptions = StructuredTextList.from_obj(obj.Description)
return_obj.short_descriptions = StructuredTextList.from_obj(obj.Short_Description)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.intents = _ReportIntents.from_obj(obj.Intent)
return return_obj
