def create_intrusion_set( name: str, intrusion_set_id: Optional[str] = None, created_by: Optional[Identity] = None, created: Optional[datetime] = None, modified: Optional[datetime] = None, description: Optional[str] = None, aliases: Optional[List[str]] = None, first_seen: Optional[datetime] = None, last_seen: Optional[datetime] = None, goals: Optional[List[str]] = None, resource_level: Optional[str] = None, primary_motivation: Optional[str] = None, secondary_motivations: Optional[List[str]] = None, labels: Optional[List[str]] = None, confidence: Optional[int] = None, external_references: Optional[List[ExternalReference]] = None, object_markings: Optional[List[MarkingDefinition]] = None, ) -> IntrusionSet: """Create a intrusion set.""" if intrusion_set_id is None: intrusion_set_id = _create_random_identifier("intrusion-set") return IntrusionSet( id=intrusion_set_id, created_by_ref=created_by, created=created, modified=modified, name=name, description=description, aliases=aliases, first_seen=first_seen, last_seen=last_seen, goals=goals, resource_level=resource_level, primary_motivation=primary_motivation, secondary_motivations=secondary_motivations, labels=labels, confidence=confidence, external_references=external_references, object_marking_refs=object_markings, )
def amitt_intrusion_set(self): """ """ intrusion_sets = self.intrusionsets.itertuples() for i in intrusion_sets: if i.id == "I00000": continue external_references = [] if i.type == "intrusion-set": refs = self.parse_xlsx_reference_tuples(i.references) for ref in refs: try: reference = ExternalReference( source_name=ref[1], url=ref[2], external_id=ref[0] ) external_references.append(reference) except IndexError: pass try: created_date = datetime.strptime(i.whenAdded, "%Y-%m-%d") except: created_date = datetime.now() intrusion_set = IntrusionSet( name=i.name, description=i.summary, first_seen=datetime.strptime(str(int(i.firstSeen)), "%Y"), created=created_date, custom_properties={ # "x_published": i.whenAdded, # "x_source": i.sourceCountry, # "x_target": i.targetCountry, "x_identified_via": i.foundVia }, external_references=external_references ) self.stix_objects.append(intrusion_set) self.stix_intrusion_set_uuid[i.id] = intrusion_set.id
def create_intrusion_set( name: str, aliases: List[str], author: Identity, primary_motivation: Optional[str], secondary_motivations: List[str], external_references: List[ExternalReference], object_marking_refs: List[MarkingDefinition], ) -> IntrusionSet: """Create an intrusion set.""" return IntrusionSet( created_by_ref=author, name=name, aliases=aliases, primary_motivation=primary_motivation, secondary_motivations=secondary_motivations, labels=["intrusion-set"], external_references=external_references, object_marking_refs=object_marking_refs, )
def _create_intrusion_set(self) -> IntrusionSet: external_references = self._create_external_references() name = self.actor.name if name is None: name = f"NO_ACTOR_NAME{self.actor.id}" alias = name.replace(" ", "") aliases = [alias] known_as = self.actor.known_as for known_alias in known_as.split(","): aliases.append(known_alias.strip()) description = "NO DESCRIPTION" if self.actor.description is not None and self.actor.description: description = self.actor.description elif self.actor.rich_text_description is not None: description = remove_html_tags(self.actor.rich_text_description) elif self.actor.short_description is not None: description = self.actor.short_description intrusion_set = IntrusionSet( created_by_ref=self.author, name=name, description=description, aliases=aliases, first_seen=self.first_seen, last_seen=self.last_seen, labels=["intrusion-set"], external_references=external_references, object_marking_refs=self.object_marking_refs, custom_properties={ CustomProperties.ALIASES: aliases, CustomProperties.FIRST_SEEN: self.first_seen, CustomProperties.LAST_SEEN: self.last_seen, }, ) return intrusion_set
def prepare_elements(self, galaxies, author): elements = { "intrusion_sets": [], "malwares": [], "tools": [], "attack_patterns": [], } added_names = [] for galaxy in galaxies: # Get the linked intrusion sets if ( ( galaxy["namespace"] == "mitre-attack" and galaxy["name"] == "Intrusion Set" ) or (galaxy["namespace"] == "misp" and galaxy["name"] == "Threat Actor") or ( galaxy["namespace"] == "misp" and galaxy["name"] == "Microsoft Activity Group actor" ) ): for galaxy_entity in galaxy["GalaxyCluster"]: if " - G" in galaxy_entity["value"]: name = galaxy_entity["value"].split(" - G")[0] elif "APT " in galaxy_entity["value"]: name = galaxy_entity["value"].replace("APT ", "APT") else: name = galaxy_entity["value"] if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]: aliases = galaxy_entity["meta"]["synonyms"] else: aliases = [name] if name not in added_names: elements["intrusion_sets"].append( IntrusionSet( name=name, labels=["intrusion-set"], description=galaxy_entity["description"], created_by_ref=author, custom_properties={"x_opencti_aliases": aliases}, ) ) added_names.append(name) # Get the linked malwares if ( (galaxy["namespace"] == "mitre-attack" and galaxy["name"] == "Malware") or (galaxy["namespace"] == "misp" and galaxy["name"] == "Tool") or (galaxy["namespace"] == "misp" and galaxy["name"] == "Ransomware") or (galaxy["namespace"] == "misp" and galaxy["name"] == "Android") or (galaxy["namespace"] == "misp" and galaxy["name"] == "Malpedia") ): for galaxy_entity in galaxy["GalaxyCluster"]: if " - S" in galaxy_entity["value"]: name = galaxy_entity["value"].split(" - S")[0] else: name = galaxy_entity["value"] if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]: aliases = galaxy_entity["meta"]["synonyms"] else: aliases = [name] if name not in added_names: elements["malwares"].append( Malware( name=name, labels=["malware"], description=galaxy_entity["description"], created_by_ref=author, custom_properties={"x_opencti_aliases": aliases}, ) ) added_names.append(name) # Get the linked tools if galaxy["namespace"] == "mitre-attack" and galaxy["name"] == "Tool": for galaxy_entity in galaxy["GalaxyCluster"]: if " - S" in galaxy_entity["value"]: name = galaxy_entity["value"].split(" - S")[0] else: name = galaxy_entity["value"] if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]: aliases = galaxy_entity["meta"]["synonyms"] else: aliases = [name] if name not in added_names: elements["tools"].append( Tool( name=name, labels=["tool"], description=galaxy_entity["description"], created_by_ref=author, custom_properties={"x_opencti_aliases": aliases}, ) ) added_names.append(name) # Get the linked attack_patterns if ( galaxy["namespace"] == "mitre-attack" and galaxy["name"] == "Attack Pattern" ): for galaxy_entity in galaxy["GalaxyCluster"]: if " - T" in galaxy_entity["value"]: name = galaxy_entity["value"].split(" - T")[0] else: name = galaxy_entity["value"] if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]: aliases = galaxy_entity["meta"]["synonyms"] else: aliases = [name] if name not in added_names: elements["attack_patterns"].append( AttackPattern( name=name, labels=["attack-pattern"], description=galaxy_entity["description"], created_by_ref=author, custom_properties={ "x_opencti_external_id": galaxy_entity["meta"][ "external_id" ][0], "x_opencti_aliases": aliases, }, ) ) added_names.append(name) return elements
def prepare_elements(self, galaxies): elements = {'intrusion_sets': [], 'malwares': [], 'tools': [], 'attack_patterns': []} added_names = [] for galaxy in galaxies: # Get the linked intrusion sets if ( (galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Intrusion Set') or (galaxy['namespace'] == 'misp' and galaxy['name'] == 'Threat Actor') or (galaxy['namespace'] == 'misp' and galaxy['name'] == 'Microsoft Activity Group actor') ): for galaxy_entity in galaxy['GalaxyCluster']: if ' - G' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - G')[0] elif 'APT ' in galaxy_entity['value']: name = galaxy_entity['value'].replace('APT ', 'APT') else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] if name not in added_names: elements['intrusion_sets'].append(IntrusionSet( name=name, labels=['intrusion-set'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases } )) added_names.append(name) # Get the linked malwares if ( (galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Malware') or (galaxy['namespace'] == 'misp' and galaxy['name'] == 'Tool') or (galaxy['namespace'] == 'misp' and galaxy['name'] == 'Ransomware') or (galaxy['namespace'] == 'misp' and galaxy['name'] == 'Android') or (galaxy['namespace'] == 'misp' and galaxy['name'] == 'Malpedia') ): for galaxy_entity in galaxy['GalaxyCluster']: if ' - S' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - S')[0] else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] if name not in added_names: elements['malwares'].append(Malware( name=name, labels=['malware'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases } )) added_names.append(name) # Get the linked tools if ( (galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Tool') ): for galaxy_entity in galaxy['GalaxyCluster']: if ' - S' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - S')[0] else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] if name not in added_names: elements['tools'].append(Tool( name=name, labels=['tool'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases } )) added_names.append(name) # Get the linked attack_patterns if ( (galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Attack Pattern') ): for galaxy_entity in galaxy['GalaxyCluster']: if ' - T' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - T')[0] else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] if name not in added_names: elements['attack_patterns'].append(AttackPattern( name=name, labels=['attack-pattern'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_external_id': galaxy_entity['meta']['external_id'][0], 'x_opencti_aliases': aliases, } )) added_names.append(name) return elements
def prepare_threats(self, galaxies): threats = [] for galaxy in galaxies: # MITRE galaxies if galaxy['namespace'] == 'mitre-attack': if galaxy['name'] == 'Intrusion Set': for galaxy_entity in galaxy['GalaxyCluster']: if ' - G' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - G')[0] else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( IntrusionSet( name=name, labels=['intrusion-set'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) if galaxy['name'] == 'Malware': for galaxy_entity in galaxy['GalaxyCluster']: if ' - S' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - S')[0] else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( Malware(name=name, labels=['malware'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) if galaxy['name'] == 'Tool': for galaxy_entity in galaxy['GalaxyCluster']: if ' - S' in galaxy_entity['value']: name = galaxy_entity['value'].split(' - S')[0] else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( Tool(name=name, labels=['tool'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) if galaxy['namespace'] == 'misp': if galaxy['name'] == 'Threat Actor': for galaxy_entity in galaxy['GalaxyCluster']: if 'APT ' in galaxy_entity['value']: name = galaxy_entity['value'].replace( 'APT ', 'APT') else: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( IntrusionSet( name=name, labels=['intrusion-set'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) if galaxy['name'] == 'Tool': for galaxy_entity in galaxy['GalaxyCluster']: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( Malware(name=name, labels=['malware'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) if galaxy['name'] == 'Ransomware': for galaxy_entity in galaxy['GalaxyCluster']: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( Malware(name=name, labels=['malware'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) if galaxy['name'] == 'Malpedia': for galaxy_entity in galaxy['GalaxyCluster']: name = galaxy_entity['value'] if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[ 'meta']: aliases = galaxy_entity['meta']['synonyms'] else: aliases = [name] threats.append( Malware(name=name, labels=['malware'], description=galaxy_entity['description'], custom_properties={ 'x_opencti_aliases': aliases })) return threats