def create_observable_email_address(properties: ObservableProperties) -> EmailAddress:
"""Create an observable representing an email address."""
return EmailAddress(
value=properties.value,
object_marking_refs=properties.object_markings,
custom_properties=_get_custom_properties(properties),
)
def produce(self, tc_data: Union[list, dict], **kwargs) -> Iterable[EmailAddress]:
"""Produce STIX 2.0 JSON object from TC API response."""
if isinstance(tc_data, list) and len(tc_data) > 0 and 'summary' in tc_data[0]:
indicator_field = 'summary'
else:
indicator_field = 'address'
parse_map = {
'type': 'email-addr',
'spec_version': '2.1',
'id': '@.id',
'value': f'@."{indicator_field}"',
}
yield from (EmailAddress(**stix_data) for stix_data in self._map(tc_data, parse_map))
def _process_indicator(self, indicator: Indicator) -> list[_Observable]:
"""
Process the indicator depending on its type.
Parameters
----------
indicator : Indicator
One indicator from an article.
Returns
-------
List of Observable
A list of Observable depending on the indicator type.
"""
indicator_type = indicator["type"]
values = indicator["values"]
tlp_marking = TLP_WHITE if indicator[
"source"] == "public" else TLP_AMBER
if indicator_type == "hash_md5":
return [
File(
type="file",
hashes={"MD5": v},
object_marking_refs=tlp_marking,
) for v in values
]
if indicator_type in ["hash_sha1", "sha1"]:
return [
File(
type="file",
hashes={"SHA-1": v},
object_marking_refs=tlp_marking,
) for v in values
]
if indicator_type in ["sha256", "hash_sha256"]:
return [
File(
type="file",
hashes={"SHA-256": v},
object_marking_refs=tlp_marking,
) for v in values
]
if indicator_type == "domain":
return [
DomainName(type="domain-name",
value=v,
object_marking_refs=tlp_marking) for v in values
]
if indicator_type in ["email", "emails"]:
return [
EmailAddress(type="email-addr",
value=v,
object_marking_refs=tlp_marking) for v in values
]
if indicator_type in ["filename", "filepath"]:
return [
File(type="file", name=v, object_marking_refs=tlp_marking)
for v in values
]
if indicator_type == "ip":
return [
IPv4Address(type="ipv4-addr",
value=v,
object_marking_refs=tlp_marking) for v in values
]
if indicator_type in ["proces_mutex", "process_mutex", "mutex"]:
return [
Mutex(type="mutex", name=v, object_marking_refs=tlp_marking)
for v in values
]
if indicator_type == "url":
return [
URL(type="url",
value=v,
object_marking_refs=tlp_marking,
defanged=False) for v in values
]
if indicator_type == "certificate_sha1":
return [
X509Certificate(
type="x509-certificate",
hashes={"SHA-1": v},
object_marking_refs=tlp_marking,
) for v in values
]
if indicator_type in [
"certificate_issuerorganizationname",
"certificate_issuercommonname",
]:
return [
X509Certificate(type="x509-certificate",
issuer=v,
object_marking_refs=tlp_marking)
for v in values
]
if indicator_type in [
"certificate_subjectorganizationname",
"certificate_subjectcountry",
"certificate_subjectcommonname",
]:
return [
X509Certificate(type="x509-certificate",
subject=v,
object_marking_refs=tlp_marking)
for v in values
]
if indicator_type in [
"certificate_serialnumber", "code_certificate_serial"
]:
return [
X509Certificate(
type="x509-certificate",
serial_number=v,
object_marking_refs=tlp_marking,
) for v in values
]
self.helper.log_warning(
f"[RiskIQ] indicator with key {indicator_type} not supported. (Values: {values})"
)
return []