def main():
data = json.load(open("data.json"))
stix_package = STIXPackage(stix_header=STIXHeader(
title=data['title'], package_intents='Incident'))
ttps = {}
for info in data['ips']:
if info['bot'] not in ttps:
ttps[info['bot']] = TTP(title=info['bot'])
stix_package.add_ttp(ttps[info['bot']])
incident = Incident(title=info['ip'])
incident.time = Time()
incident.time.first_malicious_action = info['first_seen']
addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
observable = Observable(item=addr)
stix_package.add_observable(observable)
related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_),
relationship="Used Malware")
incident.leveraged_ttps.append(related_ttp)
related_observable = RelatedObservable(
Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
stix_package.add_incident(incident)
print(stix_package.to_xml(encoding=None))
def generate_stix_objects(self):
incident_id = "{}:incident-{}".format(namespace[1], self.misp_event.uuid)
incident = Incident(id_=incident_id, title=self.misp_event.info)
self.set_dates(incident, self.misp_event.date, self.misp_event.publish_timestamp)
threat_level_name = threat_level_mapping.get(str(self.misp_event.threat_level_id), None)
if threat_level_name:
threat_level_s = "Event Threat Level: {}".format(threat_level_name)
self.add_journal_entry(incident, threat_level_s)
Tags = {}
event_tags = self.misp_event.Tag
if event_tags:
Tags['event'] = event_tags
self.set_tag(incident, event_tags)
external_id = ExternalID(value=str(self.misp_event.id), source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(str(self.misp_event.analysis), None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
self.set_tlp(incident, self.misp_event.distribution, event_tags)
self.set_src(incident, self.misp_event.Org.get('name'))
self.orgc_name = self.misp_event.Orgc.get('name')
self.set_rep(incident)
self.ttps = []
self.resolve_attributes(incident, self.misp_event.attributes, Tags)
self.resolve_objects(incident, Tags)
self.add_related_indicators(incident)
return incident
def main():
data = json.load(open("data.json"))
stix_package = STIXPackage(stix_header=STIXHeader(title=data['title'], package_intents='Incident'))
ttps = {}
for info in data['ips']:
if info['bot'] not in ttps:
ttps[info['bot']] = TTP(title=info['bot'])
stix_package.add_ttp(ttps[info['bot']])
incident = Incident(title=info['ip'])
incident.time = Time()
incident.time.first_malicious_action = info['first_seen']
addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
observable = Observable(item=addr)
stix_package.add_observable(observable)
related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware")
incident.leveraged_ttps.append(related_ttp)
related_observable = RelatedObservable(Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
stix_package.add_incident(incident)
print(stix_package.to_xml(encoding=None))
def main():
pkg = STIXPackage()
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = "Database"
affected_asset.type_.count_affected = 1
affected_asset.business_function_or_role = "Hosts the database for example.com"
affected_asset.ownership_class = "Internally-Owned"
affected_asset.management_class = "Internally-Managed"
affected_asset.location_class = "Internally-Located"
property_affected = PropertyAffected()
property_affected.property_ = "Confidentiality"
property_affected.description_of_effect = "Data was exfiltrated, has not been determined which data or how."
property_affected.non_public_data_compromised = "Yes"
property_affected.non_public_data_compromised.data_encrypted = False
security_effect_nature = NatureOfSecurityEffect()
security_effect_nature.append(property_affected)
affected_asset.nature_of_security_effect = security_effect_nature
affected_assets = AffectedAssets()
affected_assets.append(affected_asset)
incident = Incident(title="Exfiltration from hr-data1.example.com")
incident.affected_assets = affected_assets
pkg.add_incident(incident)
print(pkg.to_xml(encoding=None))
def test_incident(self):
i = Incident()
i.title = UNICODE_STR
i.description = UNICODE_STR
i.short_description = UNICODE_STR
i2 = round_trip(i)
self._test_equal(i, i2)
def test_incident(self):
i = Incident()
i.title = UNICODE_STR
i.description = UNICODE_STR
i.short_description = UNICODE_STR
i2 = round_trip(i)
self._test_equal(i, i2)
def generateSTIXObjects(event):
incident = Incident(id_=namespace[1] + ":incident-" +
event["Event"]["uuid"],
title=event["Event"]["info"])
setDates(incident, event["Event"]["date"],
int(event["Event"]["publish_timestamp"]))
threat_level_name = threat_level_mapping.get(
event["Event"]["threat_level_id"], None)
if threat_level_name:
addJournalEntry(incident, "Event Threat Level: " + threat_level_name)
ttps = []
eventTags = event["Event"].get("Tag", [])
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"], eventTags)
setSrc(incident, event["Event"]["Org"]["name"])
orgc_name = event["Event"]["Orgc"]["name"]
setRep(incident, orgc_name)
setTag(incident, eventTags)
resolveAttributes(incident, ttps, event["Event"]["Attribute"], eventTags,
orgc_name)
resolveObjects(incident, ttps, event["Event"]["Object"], eventTags,
orgc_name)
return [incident, ttps]
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
breach._binding_class.xml_type = typeIncident
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset # "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
#impact = ImpactAssessment()
#impact.add_effect("Unintended Access")
#breach.impact_assessment = impact
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
#print("asset type: %s"%(breach.affected_assets[0].type_))
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
#print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents)))
# Print the XML!
#print(stix_package.to_xml())
return stix_package
def add_related_incidents_item(related_incidents_item, incident):
# assuming only one id
rIncident = Incident()
externalID = ExternalID()
externalID.value = related_incidents_item
externalID.source = "VERIS"
rIncident.add_external_id(externalID)
incident.related_incidents.append(rIncident)
def generateSTIXObjects(event):
incident = Incident(id_ = namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
ttps = []
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"])
setOrg(incident, event["Event"]["org"])
resolveAttributes(incident, ttps, event["Attribute"])
return [incident, ttps]
def generateSTIXObjects(event):
incident = Incident(id_=namespace[1] + ":incident-" + event["Event"]["uuid"], title=event["Event"]["info"])
setDates(incident, event["Event"]["date"], int(event["Event"]["publish_timestamp"]))
addJournalEntry(incident, "Event Threat Level: " + event["ThreatLevel"]["name"])
ttps = []
external_id = ExternalID(value=event["Event"]["id"], source="MISP Event")
incident.add_external_id(external_id)
incident_status_name = status_mapping.get(event["Event"]["analysis"], None)
if incident_status_name is not None:
incident.status = IncidentStatus(incident_status_name)
setTLP(incident, event["Event"]["distribution"])
setOrg(incident, event["Event"]["org"])
resolveAttributes(incident, ttps, event["Attribute"])
return [incident, ttps]
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
if obj.get_Indicators():
return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
if obj.get_Threat_Actors():
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def main():
pkg = STIXPackage()
file_object1 = File()
file_object1.file_name = "readme.doc.exe"
file_object1.size_in_bytes = 40891
file_object1.add_hash(
Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
))
observable1 = Observable(file_object1)
file_object2 = File()
file_object2.file_name = "readme.doc.exe"
file_object2.size_in_bytes = 40891
file_object2.add_hash(
Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"
))
observable2 = Observable(file_object2)
incident = Incident(title="Malicious files detected")
related_observable1 = RelatedObservable(
observable1, relationship="Malicious Artifact Detected")
related_observable2 = RelatedObservable(
observable2, relationship="Malicious Artifact Detected")
incident.related_observables.append(related_observable1)
incident.related_observables.append(related_observable2)
pkg.add_incident(incident)
print(pkg.to_xml(encoding=None))
def resolveObjects(incident, ttps, objects, eventTags, org):
for obj in objects:
tmp_incident = Incident()
resolveAttributes(tmp_incident, ttps, obj["Attribute"], eventTags, org)
indicator = Indicator(
timestamp=getDateFromTimestamp(int(obj["timestamp"])))
indicator.id_ = namespace[1] + ":MispObject-" + obj["uuid"]
setProd(indicator, org)
if obj["comment"] != "":
indicator.description = obj["comment"]
tlpTags = eventTags
for attr in obj["Attribute"]:
tlpTags = mergeTags(tlpTags, attr)
setTLP(indicator, obj["distribution"], tlpTags, True)
indicator.title = obj["name"] + " (MISP Object #" + obj["id"] + ")"
indicator.description = indicator.title
indicator.add_indicator_type("Malware Artifacts")
indicator.add_valid_time_position(ValidTime())
indicator.observable_composition_operator = "AND"
for rindicator in tmp_incident.related_indicators:
if rindicator.item.observable:
indicator.add_observable(rindicator.item.observable)
relatedIndicator = RelatedIndicator(indicator,
relationship=obj["meta-category"])
incident.related_indicators.append(relatedIndicator)
def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def to_stix_incident(obj):
"""
Creates a STIX Incident object from a CRITs Event.
Returns the STIX Incident and the original CRITs Event's
releasability list.
"""
from stix.incident import Incident
inc = Incident(title=obj.title, description=obj.description)
return (inc, obj.releasability)
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.incident import Incident
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information(
"Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)
c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
c.related_incidents.append(
Incident(
idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(
Incident(
idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(
Incident(
idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))
pkg = STIXPackage()
pkg.add_campaign(c)
print(pkg.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(
obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [
Campaign.from_obj(x)
for x in obj.get_Campaigns().get_Campaign()
]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.get_Exploit_Targets().get_Exploit_Target()
]
if obj.get_Indicators():
return_obj.indicators = [
Indicator.from_obj(x)
for x in obj.get_Indicators().get_Indicator()
]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(
obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [
Incident.from_obj(x)
for x in obj.get_Incidents().get_Incident()
]
if obj.get_Threat_Actors():
return_obj.threat_actors = [
ThreatActor.from_obj(x)
for x in obj.get_Threat_Actors().get_Threat_Actor()
]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def build_stix( ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Sample breach report"
stix_header.add_package_intent ("Incident")
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# incident time is a complex object with support for a bunch of different "when stuff happened" items
breach.time = incidentTime()
breach.title = "Breach of Canary Corp"
breach.time.incident_discovery = datetime.strptime("2013-01-13", "%Y-%m-%d") # when they submitted it
# add the impact
impact = ImpactAssessment()
impact.add_effect("Financial Loss")
breach.impact_assessment = impact
# add the victim
breach.add_victim ("Canary Corp")
stix_package.add_incident(breach)
return stix_package
def test_embedded_component_direct_marking(self):
"""Test that embedded STIX components can be directly marked"""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
incident = Incident(title="Test")
package.add_incident(incident)
indicator = Indicator(title="Test")
incident.related_indicators.append(indicator)
container.add_marking(indicator, red_marking)
self.assertTrue(container.is_marked(indicator, red_marking))
def test_remove_parent_marking_failure(self):
"""Test that inherited parent markings cannot be removed from children"""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
incident = Incident(title="Test")
package.add_incident(incident)
indicator = Indicator(title="Test")
incident.related_indicators.append(indicator)
container.add_marking(incident, red_marking, descendants=True)
self.assertTrue(container.is_marked(incident, red_marking))
self.assertTrue(container.is_marked(indicator, red_marking))
self.assertRaises(errors.MarkingRemovalError, container.remove_marking,
indicator, red_marking, True)
def test_embedded_marking_removal(self):
"""Test that markings can be removed"""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
incident = Incident(title="Test")
package.add_incident(incident)
indicator = Indicator(title="Test")
incident.related_indicators.append(indicator)
container.add_marking(indicator, red_marking)
self.assertTrue(container.is_marked(indicator, red_marking))
container.remove_marking(indicator, red_marking)
self.assertFalse(container.is_marked(indicator, red_marking))
def test_embedded_component_marking(self):
"""Test that embedded STIX components are marked according to their parent TLO and global markings"""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
amber_marking = generate_marking_spec(generate_amber_marking_struct())
incident = Incident(title="Test")
package.add_incident(incident)
indicator = Indicator(title="Test")
incident.related_indicators.append(indicator)
container.add_marking(incident, red_marking, descendants=True)
container.add_global(amber_marking)
self.assertTrue(container.is_marked(indicator, red_marking))
self.assertTrue(container.is_marked(indicator, amber_marking))
def build_stix( ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Sample breach report"
stix_header.add_package_intent ("Incident")
# stamp with creator
stix_header.information_source = InformationSource()
stix_header.information_source.description = "The person who reported it"
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "Infosec Operations Team"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Cyber Tech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.add_effect("Unintended Access")
breach.impact_assessment = impact
# add the victim
breach.add_victim ("Cyber Tech Dynamics")
stix_package.add_incident(breach)
return stix_package
def main():
malware = MalwareInstance()
malware.add_name("Poison Ivy")
malware.add_type("Remote Access Trojan")
ttp = TTP(title="Poison Ivy")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)
incident = Incident(
title="Detected Poison Ivy beaconing through perimeter firewalls")
related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware")
incident.leveraged_ttps.append(related_ttp)
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
stix_package.add_incident(incident)
print(stix_package.to_xml(encoding=None))
def json2incident(config, src, dest, endpoint, json_, crits_id):
'''transform crits events into stix incidents with related indicators'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'events':
endpoint_trans = {'Email': 'emails', 'IP': 'ips',
'Sample': 'samples', 'Domain': 'domains',
'Indicator': 'indicators'}
status_trans = {'New': 'New', 'In Progress': 'Open',
'Analyzed': 'Closed', 'Deprecated': 'Rejected'}
incident_ = Incident()
incident_.id = xmlns_name + ':incident-' + crits_id
incident_.id_ = incident_.id
incident_.title = json_['title']
incident_.description = json_['description']
incident_.status = status_trans[json_['status']]
# incident_.confidence = json_['confidence']['rating'].capitalize()
for r in json_['relationships']:
if r.get('relationship', None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type='event relationship type '
+ r.get('relationship', 'None'), id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
related_observable = RelatedObservable(Observable(idref=xmlns_name + ':observable-' + r['value']))
incident_.related_observables.append(related_observable)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value']))
incident_.related_indicators.append(related_indicator)
elif r['type'] == 'Event':
related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
incident_.related_incidents.append(related_incident)
return(incident_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return(None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits', src_obj='event', id_=crits_id,
dest_type='stix', dest_obj='incident'))
config['logger'].exception(e)
return(None)
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
def resolve_objects(self, incident, tags):
for misp_object in self.misp_event.objects:
tlp_tags = None
tmp_incident = Incident()
tlp_tags = deepcopy(tags)
self.resolve_attributes(tmp_incident, misp_object.attributes, tags)
indicator = Indicator(timestamp=self.get_date_from_timestamp(int(misp_object.timestamp)))
indicator.id_ = "{}:MispObject-{}".format(namespace[1], misp_object.uuid)
self.set_prod(indicator, self.orgc_name)
for attribute in misp_object.attributes:
tlp_tags = self.merge_tags(tlp_tags, attribute)
self.set_tlp(indicator, misp_object.distribution, tlp_tags)
title = "{} (MISP Object #{})".format(misp_object.name, misp_object.id)
indicator.title = title
indicator.description = misp_object.comment if misp_object.comment else title
indicator.add_indicator_type("Malware Artifacts")
indicator.add_valid_time_position(ValidTime())
indicator.observable_composition_operator = "AND"
for rindicator in tmp_incident.related_indicators:
if rindicator.item.observable:
indicator.add_observable(rindicator.item.observable)
relatedIndicator = RelatedIndicator(indicator, relationship=misp_object['meta-category'])
incident.related_indicators.append(relatedIndicator)
def test_marking_round_trip(self):
"""Test that get_markings() yields the same number of results after
calling to_xml()."""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
amber_marking = generate_marking_spec(generate_amber_marking_struct())
incident = Incident(title="Test Incident")
package.add_incident(incident)
indicator = Indicator(idref="example:Indicator-test-1234")
incident.related_indicators.append(indicator)
container.add_marking(incident, red_marking, descendants=True)
container.add_global(amber_marking)
self.assertTrue(container.is_marked(indicator, red_marking))
self.assertTrue(container.is_marked(indicator, amber_marking))
markings = container.get_markings(indicator)
self.assertEqual(len(markings), 2)
xml = container.to_xml()
sio = StringIO(xml.decode("utf-8"))
new_xml_container = stixmarx.parse(sio)
parsed_indicator = new_xml_container.package.incidents[
0].related_indicators[0]
parsed_markings = new_xml_container.get_markings(parsed_indicator)
for x in parsed_markings:
print(x.to_dict())
self.assertEqual(len(parsed_markings), 2)
def convert_file(ifn, ofn, vcdb):
global cve_info
global targets_item
cve_info = []
targets_item = None
with open(ifn) as json_data:
veris_item = json.load(json_data)
json_data.close()
schema_version_item = veris_item.get("schema_version")
if not schema_version_item:
error("The 'schema_version' item is required")
elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"):
error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item)
return
pkg = STIXPackage()
action_item = veris_item.get('action')
if not action_item:
error("The 'action' item is required")
else:
add_action_item(action_item, pkg)
add_cve_info(pkg)
actor_item = veris_item.get('actor')
if not actor_item:
error("The 'actor' item is required")
else:
add_actor_item(actor_item, pkg)
incident = Incident()
pkg.add_incident(incident)
asset_item = veris_item.get('asset')
if not asset_item:
error("The 'asset' item is required")
else:
attribute_item = veris_item.get('attribute')
add_asset_item(asset_item, attribute_item, incident)
# added as 1.3
campaign_id_item = veris_item.get('campaign_id')
if campaign_id_item:
add_campaign_item(campaign_id_item, pkg)
confidence_item = veris_item.get('confidence')
if confidence_item:
add_confidence_item(confidence_item, incident)
#control_failure - not found in data
if veris_item.get('control_failure'):
warn("'control_failure' item not handled, yet")
corrective_action_item = veris_item.get('corrective_action')
cost_corrective_action_item = veris_item.get('cost_corrective_action')
if corrective_action_item or cost_corrective_action_item:
add_coa_items(corrective_action_item, cost_corrective_action_item, pkg)
discovery_method_item = veris_item.get('discovery_method')
if not discovery_method_item:
error("The 'discovery_method' item is required")
else:
incident.add_discovery_method(map_discovey_method(discovery_method_item))
discovery_notes_item = veris_item.get('discovery_notes')
if discovery_notes_item:
warn("'discovery_notes' item not handled yet")
impact_item = veris_item.get('impact')
if impact_item:
add_impact_item(impact_item, incident)
incident_id_item = veris_item.get('incident_id')
if not incident_id_item:
error("The 'incident_id' item is required")
else:
external_id = ExternalID()
external_id.value = incident_id_item
external_id.source = "VERIS"
incident.add_external_id(external_id)
notes_item = veris_item.get('notes')
if notes_item:
pkg.stix_header = STIXHeader()
pkg.stix_header.title = "Notes: " + notes_item
# plus item for records from VCDB have some known useful information
if vcdb:
plus_item = veris_item.get('plus')
if plus_item:
add_plus_item(plus_item, incident, pkg)
# removed as of 1.3 - see campaign_id
# related_incidents_item = veris_item.get('related_incidents')
# if related_incidents_item:
# add_related_incidents_item(related_incidents_item, incident)
security_incident_item = veris_item.get('security_incident')
if not security_incident_item:
error("The 'security_incident' item is required")
else:
incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item)
reference_item = veris_item.get('reference')
source_id_item = veris_item.get('source_id')
if source_id_item or reference_item:
add_information_source_items(reference_item, source_id_item, schema_version_item, incident)
summary_item = veris_item.get('summary')
if summary_item:
incident.title = summary_item
#targeted_item = veris_item.get('targeted')
#if targeted_item:
timeline_item = veris_item.get('timeline')
if not timeline_item:
error("The 'timeline' item is required")
else:
add_timeline_item(timeline_item, incident)
victim_item = veris_item.get('victim')
if victim_item:
add_victim_item(victim_item, incident)
add_related(pkg)
if not ofn:
stixXML = sys.stdout
else:
stixXML = open(ofn, 'wb')
stixXML.write(pkg.to_xml())
stixXML.close()
def transform(self, event):
self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")
incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(ToolInformation.from_dict({
'name': "Conpot",
'vendor': "Conpot Team",
'version': conpot.__version__,
'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.')
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol': 'tcp'})
source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
network_connection = NetworkConnection.from_dict(
{'source_socket_address': source_address.to_dict(),
'destination_socket_address': dest_address.to_dict(),
'layer3_protocol': u"IPv4",
'layer4_protocol': u"TCP",
'layer7_protocol': event['data_type'],
'source_tcp_state': u"ESTABLISHED",
'destination_tcp_state': u"ESTABLISHED",
}
)
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def getSTIXObject():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Parity Wallet Hacked"
breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "https://paritytech.io/blog/security-alert.html"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
victim2 = Identity()
victim2.name = "Who else ?"
breach.add_victim(victim2)
# add Information Sources
infoSource = InformationSource();
infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")
breach.Information_Source = infoSource;
stix_package.add_incident(breach)
return stix_package
def buildIncident(input_dict):
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
if input_dict['confidence']:
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
if input_dict['responder']:
incident.responders = input_dict['responder']
if input_dict['coordinator']:
incident.coordinators = input_dict['coordinator']
if input_dict['intent']:
incident.intended_effects = input_dict['intent']
if input_dict['discovery']:
incident.discovery_methods = input_dict['discovery']
if input_dict['status']:
incident.status = input_dict['status']
if input_dict['compromise']:
incident.security_compromise = input_dict['compromise']
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
if input_dict['asset']:
asset = AffectedAsset()
asset.type_ = input_dict['asset']
incident.add_affected_asset (asset)
# add the victim
incident.add_victim (input_dict['organization'])
return incident
def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime(
"2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30",
"%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10",
"%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime(
"2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def test_incident_idref_deprecation(self):
package = core.STIXPackage()
package.add(Incident(idref='test-idref-dep'))
def json2incident(config, src, dest, endpoint, json_, crits_id):
'''transform crits events into stix incidents with related indicators'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'events':
endpoint_trans = {
'Email': 'emails',
'IP': 'ips',
'Sample': 'samples',
'Domain': 'domains',
'Indicator': 'indicators'
}
status_trans = {
'New': 'New',
'In Progress': 'Open',
'Analyzed': 'Closed',
'Deprecated': 'Rejected'
}
incident_ = Incident()
incident_.id = xmlns_name + ':incident-' + crits_id
incident_.id_ = incident_.id
incident_.title = json_['title']
incident_.description = json_['description']
incident_.status = status_trans[json_['status']]
# incident_.confidence = json_['confidence']['rating'].capitalize()
for r in json_['relationships']:
if r.get('relationship',
None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits',
obj_type='event relationship type ' +
r.get('relationship', 'None'),
id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
related_observable = RelatedObservable(
Observable(idref=xmlns_name + ':observable-' +
r['value']))
incident_.related_observables.append(related_observable)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(
Indicator(idref=xmlns_name + ':indicator-' +
r['value']))
incident_.related_indicators.append(related_indicator)
elif r['type'] == 'Event':
related_incident = RelatedIncident(
Incident(idref=xmlns_name + ':incident-' + r['value']))
incident_.related_incidents.append(related_incident)
return (incident_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return (None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits',
src_obj='event',
id_=crits_id,
dest_type='stix',
dest_obj='incident'))
config['logger'].exception(e)
return (None)
names.name = ['Operation Sparky', 'Operation Dingo']
campaign.names = names
activity = Activity()
activity.description = 'Foo'
campaign.add_activity(activity)
campaign.add_intended_effect(IntendedEffect('Extortion'))
campaign.status = CampaignStatus('Ongoing')
campaign.confidence = HighMediumLow('Medium')
# Related TTP (basic; by id)
ttp = TTP(title="Malware Variant XYZ")
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
campaign.related_ttps.append(related_ttp)
# Related Incident (basic; by id)
incident = Incident(title='We got hacked')
t = Time()
t.incident_opened = '2018-09-11'
incident.time = t
related_incident = RelatedIncident(Incident(idref=incident.id_))
campaign.related_incidents.append(related_incident)
# Related Indicator (by id)
fake = Faker()
indicator = Indicator()
addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)
indicator.add_observable(addr2)
related_indicator = RelatedIndicator(Indicator(idref=indicator.id_))
campaign.related_indicators.append(related_indicator)
# Related Threat Actor (by id)
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Incident report for " + input_dict['organization']
stix_header.add_package_intent ("Incident")
# Add handling requirements if needed
if input_dict['sensitive'] == "True":
mark = SimpleMarkingStructure()
mark.statement = "Sensitive"
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
#Add the thing that was stolen
jewels = AffectedAsset()
jewels.type_ = input_dict['asset']
incident.add_affected_asset (jewels)
# add the victim
incident.add_victim (input_dict['organization'])
stix_package.add_incident(incident)
return stix_package
from stix.core import STIXPackage
from stix.incident import Incident
from stix.common import InformationSource
from cybox.common import Time
from datetime import datetime
from stix.common import Identity
from stix.incident import Time as incidentTime # different type than common:Time
from stix.incident import Incident, ImpactAssessment
from stix.incident.impact_assessment import Effects
from stix.common import References
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Parity Wallet Hacked"
breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "https://paritytech.io/blog/security-alert.html"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"
# set incident-specific timestamps
breach.time = incidentTime()
def parse(self, argument_log):
"""
Parses Suricata IDS log lines into STIX/CybOX format.
:param argument_log: The log line to try and identify
:return: STIX Incident
"""
argument_log = " ".join(argument_log.split(" ")[5:])
parsed_suricata_log = {}
for regex in self._regex:
try:
parsed_suricata_log[regex] = re.match(self._regex[regex], argument_log).group(1)
except:
print "Failed to parse %s" % (regex)
return False
#TODO: Time Zones
parsed_suricata_log["unix_timestamp"] = time.mktime(datetime.datetime.strptime(parsed_suricata_log["time"], "%m/%d/%Y-%H:%M:%S").timetuple())
# Find IP's of interest
if IPAddress(parsed_suricata_log["source_ip"]).is_private() == False or IPAddress(parsed_suricata_log["destination_ip"]).is_private() == False:
# Name Space
stix.utils.idgen.set_id_namespace(Namespace(self._config["NAMESPACE"]["url"], self._config["NAMESPACE"]["name"],""))
stix_package = STIXPackage()
# If the source is public
if not IPAddress(parsed_suricata_log["source_ip"]).is_private() and IPAddress(parsed_suricata_log["destination_ip"]).is_private():
incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" From "+ parsed_suricata_log["source_ip"])
addr = Address(address_value=parsed_suricata_log["source_ip"], category=Address.CAT_IPV4)
elif IPAddress(parsed_suricata_log["source_ip"]).is_private() and not IPAddress(parsed_suricata_log["destination_ip"]).is_private():
incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" To "+ parsed_suricata_log["destination_ip"])
addr = Address(address_value=parsed_suricata_log["destination_ip"], category=Address.CAT_IPV4)
else:
#public to public - i can't tell who the bad guy is
return False
observable = Observable(item=addr,
title="[IP Associated To IDS Alert] "+parsed_suricata_log["text"],
description="""This ip address was seen to be involved in triggering the IDS alert %s if
seen from multiple sources, this is a good indicator of a potential threat actor or compromised host""" % (parsed_suricata_log["text"]))
stix_package.add_observable(observable)
incident.time = Time()
incident.time.first_malicious_action = parsed_suricata_log["time"]
related_observable = RelatedObservable(Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
stix_package.add_incident(incident)
return stix_package.to_xml()
def buildSTIX(ident, confid, restconfid, effect, resteffect, typeIncident,
resttype, asset, restasset, hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value = confid
breach._binding_class.xml_type = typeIncident
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime(
"2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset # "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30",
"%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10",
"%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime(
"2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
#impact = ImpactAssessment()
#impact.add_effect("Unintended Access")
#breach.impact_assessment = impact
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
#print("asset type: %s"%(breach.affected_assets[0].type_))
# add the victim
breach.add_victim(hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
#print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents)))
# Print the XML!
#print(stix_package.to_xml())
return stix_package
def transform(self, event):
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot",
"Describes one or more honeypot incidents")
incident = Incident(
id_="%s:%s-%s" %
(CONPOT_NAMESPACE, 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(
VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(
ToolInformation.from_dict({
'name':
"Conpot",
'vendor':
"Conpot Team",
'version':
conpot.__version__,
'description':
textwrap.dedent(
'Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.'
)
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(
title=
"Victim Targeting: Electricity Sector and Industrial Control System Sector"
)
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({
'port_value': event['remote'][1],
'layer4_protocol': 'tcp'
})
dest_port = Port.from_dict({
'port_value':
self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol':
'tcp'
})
source_ip = Address.from_dict({
'address_value': event['remote'][0],
'category': Address.CAT_IPV4
})
dest_ip = Address.from_dict({
'address_value': event['public_ip'],
'category': Address.CAT_IPV4
})
source_address = SocketAddress.from_dict({
'ip_address':
source_ip.to_dict(),
'port':
source_port.to_dict()
})
dest_address = SocketAddress.from_dict({
'ip_address': dest_ip.to_dict(),
'port': dest_port.to_dict()
})
network_connection = NetworkConnection.from_dict({
'source_socket_address':
source_address.to_dict(),
'destination_socket_address':
dest_address.to_dict(),
'layer3_protocol':
"IPv4",
'layer4_protocol':
"TCP",
'layer7_protocol':
event['data_type'],
'source_tcp_state':
"ESTABLISHED",
'destination_tcp_state':
"ESTABLISHED",
})
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
from stix.common import Identity, InformationSource
from stix.common.related import (RelatedIndicator, RelatedObservable,
RelatedThreatActor, RelatedIncident,
RelatedTTP)
from stix.core import STIXPackage
from stix.incident import AttributedThreatActors, Incident, LeveragedTTPs, Time
from stix.indicator import Indicator
from stix.threat_actor import ThreatActor
from stix.ttp import TTP, Behavior
from stix.ttp.behavior import AttackPattern
from stix.coa import CourseOfAction
fake = Faker()
# Basics
incident = Incident(title='We got hacked')
incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.'
# Dates/Times
t1 = '2018-08-23T14:00:05.470947+00:00'
t2 = '2018-08-22T14:00:05.470947+00:00'
t3 = '2018-08-24T14:00:05.470947+00:00'
t = Time()
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
