def _get_threat_actor_object(value,
description=None,
crowd_strike_motivations=[]):
# 攻撃者情報作成
organisation_name = OrganisationName(value)
party_name = PartyName()
party_name.add_organisation_name(organisation_name)
identity_specification = STIXCIQIdentity3_0()
identity_specification.party_name = party_name
identity = CIQIdentity3_0Instance()
# ThreatActor
ta = ThreatActor()
ta.identity = identity
ta.identity.specification = identity_specification
# Title に抽出した Threat Actor 名前
ta.title = value
ta.description = description
ta.short_description = description
ta.identity = identity
# motivations 作成
for crowd_strike_motivation in crowd_strike_motivations:
ta_motivation = Statement(crowd_strike_motivation['value'])
# motivation 追加
ta.add_motivation(ta_motivation)
return ta
def convert_identity(ident20):
if ("sectors" in ident20 or "contact_information" in ident20
or "labels" in ident20 or "identity_class" in ident20
or "description" in ident20):
ident1x = CIQIdentity3_0Instance()
id1x = convert_id20(ident20["id"])
ident1x.id_ = id1x
if ident20["identity_class"] != "organization":
ident1x.name = ident20["name"]
if "labels" in ident20:
ident1x.roles = ident20["labels"]
if ("sectors" in ident20 or "contact_information" in ident20
or "identity_class" in ident20 or "description" in ident20):
ident1x.specification = STIXCIQIdentity3_0()
if ident20["identity_class"] == "organization":
party_name = PartyName()
party_name.add_organisation_name(text_type(ident20["name"]))
ident1x.specification.party_name = party_name
if "sectors" in ident20:
first = True
for s in ident20["sectors"]:
if first:
ident1x.specification.organisation_info = \
OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0]))
first = False
else:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "Identity", "sectors", s)
# Identity in 1.x has no description property, use free-text-lines
if "identity_class" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "identity_class",
ident20["identity_class"])
# Because there is format defined in the specification for this property, it is difficult to
# determine how to convert the information probably found within it to the CIQ fields, so it will be put
# in the free_text_lines
if "contact_information" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "contact_information",
ident20["contact_information"])
if "description" in ident20:
add_missing_property_to_free_text_lines(
ident1x.specification, "description",
ident20["description"])
else:
ident1x = Identity(id_=convert_id20(ident20["id"]),
name=ident20["name"])
if "object_marking_refs" in ident20:
for m_id in ident20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ident1x, ms, descendants=True)
if "granular_markings" in ident20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ident20["id"])
return ident1x
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(
kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
# identity.name = 'Bob Ricca'
identity_spec = STIXCIQIdentity3_0()
identity_spec.add_address(Address(country='Germany'))
identity_spec.add_address(Address(country='United States'))
identity_spec.add_language('German')
identity_spec.add_language('English')
identity_spec.add_nationality('American')
identity_spec.add_contact_number('727-867-5309')
identity_spec.add_electronic_address_identifier('bricca')
identity_spec.add_electronic_address_identifier(
ElectronicAddressIdentifier(value='*****@*****.**', type_='Email'))
party_name = PartyName()
party_name.add_person_name('Bob Ricca')
party_name.add_person_name('Robert Ricca')
party_name.add_organisation_name('ThreatQuotient')
identity_spec.party_name = party_name
organization = OrganisationInfo(industry_type='Cybersecurity')
identity_spec.organisation_info = organization
identity.specification = identity_spec
victim_targeting.identity = identity
domain2 = DomainName()
domain2.value = 'www.bobricca.com'
observable2 = Observable(domain2)
victim_targeting.targeted_technical_details = Observables(
Observable(idref=observable2.id_))
ttp2.victim_targeting = victim_targeting
ttp2.related_ttps.append(related_ttp)
# Related TTP (Exploit; by id)
