def set_identifier_confidence(id_, identifier=None, confidence="low", user=None, **kwargs): """ Set the Identifier attribution confidence. :param id_: The ObjectId of the Actor. :param identifier: The Actor Identifier ObjectId. :type identifier: str :param confidence: The confidence level. :type confidence: str :param user: The user editing this identifier. :type user: str :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user_sources(user) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} actor.set_identifier_confidence(identifier, confidence) actor.save(username=user) return {'success': True}
def remove_attribution(id_, identifier=None, user=None, **kwargs): """ Remove an attributed identifier. :param id_: The ObjectId of the Actor. :param identifier: The Actor Identifier ObjectId. :type identifier: str :param user: The user removing this attribution. :type user: str :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user_sources(user) admin = is_admin(user) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} actor.remove_attribution(identifier) actor.save(username=user) actor.reload() actor_identifiers = actor.generate_identifiers_list(user) html = render_to_string( 'actor_identifiers_widget.html', { 'actor_identifiers': actor_identifiers, 'admin': admin, 'actor_id': str(actor.id) }) return {'success': True, 'message': html}
def set_actor_description(id_, description, analyst): """ Set an Actor description. :param id_: Actor ObjectId. :type id_: str :param description: The new description. :type description: str :param analyst: The user updating the description. :type analyst: str :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user_sources(analyst) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} actor.description = description.strip() actor.save(username=analyst) return {'success': True}
def remove_attribution(id_, identifier=None, user=None, **kwargs): """ Remove an attributed identifier. :param id_: The ObjectId of the Actor. :param identifier: The Actor Identifier ObjectId. :type identifier: str :param user: The user removing this attribution. :type user: str :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user_sources(user) admin = is_admin(user) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} actor.remove_attribution(identifier) actor.save(username=user) actor.reload() actor_identifiers = actor.generate_identifiers_list(user) html = render_to_string('actor_identifiers_widget.html', {'actor_identifiers': actor_identifiers, 'admin': admin, 'actor_id': str(actor.id)}) return {'success': True, 'message': html}
def set_actor_name(id_, name, user, **kwargs): """ Set an Actor name. :param id_: Actor ObjectId. :type id_: str :param name: The new name. :type name: str :param user: The user updating the name. :type user: :class:`crits.core.user.CRITsUser` :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user.get_sources_list() actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} actor.name = name.strip() actor.save(username=user.username) return {'success': True}
def set_actor_name(id_, name, user, **kwargs): """ Set an Actor name. :param id_: Actor ObjectId. :type id_: str :param name: The new name. :type name: str :param user: The user updating the name. :type user: str :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user_sources(user) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} actor.name = name.strip() actor.save(username=user) return {'success': True}
def parse_threat_actors(self, threat_actors): """ Parse list of Threat Actors. :param threat_actors: List of STIX ThreatActors. :type threat_actors: List of STIX ThreatActors. """ from stix.threat_actor import ThreatActor analyst = self.source_instance.analyst for threat_actor in threat_actors: # for each STIX ThreatActor try: # create CRITs Actor from ThreatActor if isinstance(threat_actor, ThreatActor): name = str(threat_actor.title) description = str(threat_actor.description) res = add_new_actor(name=name, description=description, source=[self.source], analyst=analyst) if res['success']: sl = ml = tl = il = [] for s in threat_actor.sophistications: v = get_crits_actor_tags(str(s.value)) if v: sl.append(v) update_actor_tags(res['id'], 'ActorSophistication', sl, analyst) for m in threat_actor.motivations: v = get_crits_actor_tags(str(m.value)) if v: ml.append(v) update_actor_tags(res['id'], 'ActorMotivation', ml, analyst) for t in threat_actor.types: v = get_crits_actor_tags(str(t.value)) if v: tl.append(v) update_actor_tags(res['id'], 'ActorThreatType', tl, analyst) for i in threat_actor.intended_effects: v = get_crits_actor_tags(str(i.value)) if v: il.append(v) update_actor_tags(res['id'], 'ActorIntendedEffect', il, analyst) obj = Actor.objects(id=res['id']).first() self.imported[threat_actor.id_] = ( Actor._meta['crits_type'], obj) else: self.failed.append( (res['message'], type(threat_actor).__name__, "")) # note for display in UI except Exception, e: self.failed.append((e.message, type(threat_actor).__name__, "")) # note for display in UI
def parse_threat_actors(self, threat_actors): """ Parse list of Threat Actors. :param threat_actors: List of STIX ThreatActors. :type threat_actors: List of STIX ThreatActors. """ from stix.threat_actor import ThreatActor analyst = self.source_instance.analyst for threat_actor in threat_actors: # for each STIX ThreatActor try: # create CRITs Actor from ThreatActor if isinstance(threat_actor, ThreatActor): name = str(threat_actor.title) description = str(threat_actor.description) res = add_new_actor(name=name, description=description, source=[self.source], analyst=analyst) if res['success']: sl = ml = tl = il = [] for s in threat_actor.sophistications: sl.append(str(s.value)) update_actor_tags(res['id'], 'ActorSophistication', sl, analyst) for m in threat_actor.motivations: ml.append(str(m.value)) update_actor_tags(res['id'], 'ActorMotivation', ml, analyst) for t in threat_actor.types: tl.append(str(t.value)) update_actor_tags(res['id'], 'ActorThreatType', tl, analyst) for i in threat_actor.intended_effects: il.append(str(i.value)) update_actor_tags(res['id'], 'ActorIntendedEffect', il, analyst) obj = Actor.objects(id=res['id']).first() self.imported.append((Actor._meta['crits_type'], obj)) else: self.failed.append((res['message'], type(threat_actor).__name__, "")) # note for display in UI except Exception, e: self.failed.append((e.message, type(threat_actor).__name__, "")) # note for display in UI
def get_actor_by_name(allowed_sources, actor): """ Get an Actor from the database by name. :param allowed_sources: The sources this Actor is allowed to have. :type allowed_sources: list :param actor: The Actor address to find. :type actor: str :returns: :class:`crits.actors.actor.Actor` """ actor = Actor.objects(name=actor, source__name__in=allowed_sources).first() return actor
def attribute_actor_identifier(id_, identifier_type, identifier=None, confidence="low", user=None, **kwargs): """ Attribute an Actor Identifier to an Actor in CRITs. :param id_: The Actor ObjectId. :type id_: str :param identifier_type: The Actor Identifier Type. :type identifier_type: str :param identifier: The Actor Identifier. :type identifier: str :param user: The user attributing this identifier. :type user: str :returns: dict with keys: "success" (boolean), "message" (str), """ sources = user_sources(user) admin = is_admin(user) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} c = len(actor.identifiers) actor.attribute_identifier(identifier_type, identifier, confidence, user) actor.save(username=user) actor.reload() actor_identifiers = actor.generate_identifiers_list(user) if len(actor.identifiers) <= c: return { 'success': False, 'message': "Invalid data submitted or identifier is already attributed." } html = render_to_string( 'actor_identifiers_widget.html', { 'actor_identifiers': actor_identifiers, 'admin': admin, 'actor_id': str(actor.id) }) return {'success': True, 'message': html}
def parse_threat_actors(self, threat_actors): """ Parse list of Threat Actors. :param threat_actors: List of STIX ThreatActors. :type threat_actors: List of STIX ThreatActors. """ for threat_actor in threat_actors: # for each STIX ThreatActor try: # create CRITs Actor from ThreatActor obj = Actor.from_stix(threat_actor) obj.add_source(self.source) obj.save(username=self.source_instance.analyst) self.imported.append((Actor._meta['crits_type'], obj)) except Exception, e: self.failed.append((e.message, type(threat_actor).__name__, "")) # note for display in UI
def attribute_actor_identifier(id_, identifier_type, identifier=None, confidence="low", user=None, **kwargs): """ Attribute an Actor Identifier to an Actor in CRITs. :param id_: The Actor ObjectId. :type id_: str :param identifier_type: The Actor Identifier Type. :type identifier_type: str :param identifier: The Actor Identifier. :type identifier: str :param user: The user attributing this identifier. :type user: str :returns: dict with keys: "success" (boolean), "message" (str), """ if not user: return {'success': False, 'message': "Could not find actor"} sources = user.get_sources_list() actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': "Could not find actor"} c = len(actor.identifiers) actor.attribute_identifier(identifier_type, identifier, confidence, user.username) actor.save(username=user.username) actor.reload() actor_identifiers = actor.generate_identifiers_list(user.username) if len(actor.identifiers) <= c: return {'success': False, 'message': "Invalid data submitted or identifier is already attributed."} html = render_to_string('actor_identifiers_widget.html', {'actor_identifiers': actor_identifiers, 'actor_id': str(actor.id)}) return {'success': True, 'message': html}
def actor_remove(id_, user): """ Remove an Actor from CRITs. :param id_: The ObjectId of the Actor to remove. :type id_: str :param user: The user removing this Actor. :type user: :class:`crits.core.user.CRITsUser` :returns: dict with keys "success" (boolean) and "message" (str) if failed. """ actor = Actor.objects(id=id_).first() if actor: actor.delete(username=user.username) return {'success': True} else: return {'success':False, 'message':'Could not find Actor.'}
def actor_remove(id_, username): """ Remove an Actor from CRITs. :param id_: The ObjectId of the Actor to remove. :type id_: str :param username: The user removing this Actor. :type username: str :returns: dict with keys "success" (boolean) and "message" (str) if failed. """ if is_admin(username): actor = Actor.objects(id=id_).first() if actor: actor.delete(username=username) return {'success': True} else: return {'success': False, 'message': 'Could not find Actor.'} else: return {'success': False, 'message': 'Must be an admin to remove'}
def update_actor_tags(id_, tag_type, tags, user, **kwargs): """ Update a subset of tags for an Actor. :param id_: The ObjectId of the Actor to update. :type id_: str :param tag_type: The type of tag we are updating. :type tag_type: str :param tags: The tags we are setting. :type tags: list :returns: dict """ actor = Actor.objects(id=id_).first() if not actor: return {'success': False, 'message': 'No actor could be found.'} else: actor.update_tags(tag_type, tags) actor.save(username=user) return {'success': True}
def update_actor_aliases(id_, aliases, user, **kwargs): """ Update aliases for an Actor. :param id_: The ObjectId of the Actor to update. :type id_: str :param aliases: The aliases we are setting. :type aliases: list :param user: The user updating the aliases. :type user: str :returns: dict """ sources = user_sources(user) actor = Actor.objects(id=id_, source__name__in=sources).first() if not actor: return {'success': False, 'message': 'No actor could be found.'} else: actor.update_aliases(aliases) actor.save(username=user) return {'success': True}
def update_actor_aliases(actor_id, aliases, analyst): """ Update aliases for an Actor. :param actor_id: The ObjectId of the Actor to update. :type actor_id: str :param aliases: The aliases we are setting. :type aliases: list :param analyst: The user updating the aliases. :type analyst: str :returns: dict """ sources = user_sources(analyst) actor = Actor.objects(id=actor_id, source__name__in=sources).first() if not actor: return {'success': False, 'message': 'No actor could be found.'} else: actor.update_aliases(aliases) actor.save(username=analyst) return {'success': True}
def class_from_value(type_, value): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param value: The value to search for. :type value: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # doing this to avoid circular imports from crits.actors.actor import ActorThreatIdentifier, Actor from crits.backdoors.backdoor import Backdoor from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event from crits.exploits.exploit import Exploit from crits.indicators.indicator import Indicator from crits.ips.ip import IP from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData from crits.samples.sample import Sample from crits.screenshots.screenshot import Screenshot from crits.targets.target import Target # Make sure value is a string... value = str(value) # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise # the queries below will raise a ValidationError exception. if (type_ in ['Backdoor', 'Comment', 'Email', 'Event', 'Exploit', 'Indicator', 'Screenshot'] and not ObjectId.is_valid(value.decode('utf8'))): return None if type_ == 'Actor': return Actor.objects(name=value).first() if type_ == 'Backdoor': return Backdoor.objects(id=value).first() elif type_ == 'ActorThreatIdentifier': return ActorThreatIdentifier.objects(name=value).first() elif type_ == 'Campaign': return Campaign.objects(name=value).first() elif type_ == 'Certificate': return Certificate.objects(md5=value).first() elif type_ == 'Comment': return Comment.objects(id=value).first() elif type_ == 'Domain': return Domain.objects(domain=value).first() elif type_ == 'Email': return Email.objects(id=value).first() elif type_ == 'Event': return Event.objects(id=value).first() elif type_ == 'Exploit': return Exploit.objects(id=value).first() elif type_ == 'Indicator': return Indicator.objects(id=value).first() elif type_ == 'IP': return IP.objects(ip=value).first() elif type_ == 'PCAP': return PCAP.objects(md5=value).first() elif type_ == 'RawData': return RawData.objects(md5=value).first() elif type_ == 'Sample': return Sample.objects(md5=value).first() elif type_ == 'Screenshot': return Screenshot.objects(id=value).first() elif type_ == 'Target': target = Target.objects(email_address=value).first() if target: return target else: return Target.objects(email_address__iexact=value).first() else: return None
def generate_actor_identifier_jtable(request, option): """ Generate the jtable data for rendering in the list template. :param request: The request for this jtable. :type request: :class:`django.http.HttpRequest` :param option: Action to take. :type option: str of either 'jtlist', 'jtdelete', or 'inline'. :returns: :class:`django.http.HttpResponse` """ obj_type = ActorIdentifier type_ = "actor_identifier" mapper = obj_type._meta['jtable_opts'] if option == "jtlist": # Sets display url details_url = mapper['details_url'] details_url_key = mapper['details_url_key'] fields = mapper['fields'] response = jtable_ajax_list(obj_type, details_url, details_url_key, request, includes=fields) return HttpResponse(json.dumps(response, default=json_handler), content_type="application/json") if option == "jtdelete": response = {"Result": "ERROR"} if jtable_ajax_delete(obj_type, request): obj_id = request.POST.get('id', None) if obj_id: # Remove this identifier from any Actors who reference it. Actor.objects(identifiers__identifier_id=obj_id)\ .update(pull__identifiers__identifier_id=obj_id) response = {"Result": "OK"} return HttpResponse(json.dumps(response, default=json_handler), content_type="application/json") jtopts = { 'title': "Actor Identifiers", 'default_sort': mapper['default_sort'], 'listurl': reverse('crits.actors.views.%ss_listing' % (type_), args=('jtlist',)), 'deleteurl': reverse('crits.actors.views.%ss_listing' % (type_), args=('jtdelete',)), 'searchurl': reverse(mapper['searchurl']), 'fields': mapper['jtopts_fields'], 'hidden_fields': mapper['hidden_fields'], 'linked_fields': mapper['linked_fields'], 'details_link': mapper['details_link'], 'no_sort': mapper['no_sort'] } jtable = build_jtable(jtopts, request) for field in jtable['fields']: if field['fieldname'] == "'name'": url = reverse('crits.actors.views.actors_listing') field['display'] = """ function (data) { return '<a href="%s?q='+data.record.id+'&search_type=actor_identifier&force_full=1">'+data.record.name+'</a>'; } """ % url break jtable['toolbar'] = [ { 'tooltip': "'Add Actor Identifier'", 'text': "'Add Actor Identifier'", 'click': "function () {$('#new-actor-identifier').click()}", }, ] if option == "inline": return render_to_response("jtable.html", {'jtable': jtable, 'jtid': '%s_listing' % type_, 'button': '%ss_tab' % type_}, RequestContext(request)) else: return render_to_response("%s_listing.html" % type_, {'jtable': jtable, 'jtid': '%s_listing' % type_}, RequestContext(request))
def add_new_actor(name, aliases=None, description=None, source=None, source_method='', source_reference='', source_tlp=None, campaign=None, confidence=None, user=None, bucket_list=None, ticket=None, related_id=None, related_type=None, relationship_type=None): """ Add an Actor to CRITs. :param name: The name of the Actor. :type name: str :param aliases: Aliases for the actor. :type aliases: list or str :param description: Description of the actor. :type description: str :param source: Name of the source which provided this information. :type source: str :param source_method: Method of acquiring this data. :type source_method: str :param source_reference: A reference to this data. :type source_reference: str :param source_tlp: The TLP for this Actor. :type source_tlp: str :param campaign: A campaign to attribute to this actor. :type campaign: str :param confidence: Confidence level in the campaign attribution. :type confidence: str ("low", "medium", "high") :param user: The user adding this actor. :type user: :class:`crits.core.user.CRITsUser` :param bucket_list: Buckets to assign to this actor. :type bucket_list: str :param ticket: Ticket to assign to this actor. :type ticket: str :param related_id: ID of object to create relationship with :type related_id: str :param related_type: Type of object to create relationship with :type related_id: str :param relationship_type: Type of relationship to create. :type relationship_type: str :returns: dict with keys: "success" (boolean), "message" (str), "object" (if successful) :class:`crits.actors.actor.Actor` """ username = user.username is_item_new = False retVal = {} actor = Actor.objects(name=name).first() if not actor: actor = Actor() actor.name = name if description: actor.description = description.strip() is_item_new = True if isinstance(source, basestring): if user.check_source_write(source): source = [create_embedded_source(source, reference=source_reference, method=source_method, tlp=source_tlp, analyst=username)] else: return {"success": False, "message": "User does not have permission to add objects \ using source %s." % str(source)} if isinstance(campaign, basestring): c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=username) campaign = [c] if campaign: for camp in campaign: actor.add_campaign(camp) if source: for s in source: actor.add_source(s) else: return {"success" : False, "message" : "Missing source information."} if not isinstance(aliases, list): aliases = aliases.split(',') for alias in aliases: alias = alias.strip() if alias not in actor.aliases: actor.aliases.append(alias) if bucket_list: actor.add_bucket_list(bucket_list, username) if ticket: actor.add_ticket(ticket, username) related_obj = None if related_id and related_type: related_obj = class_from_id(related_type, related_id) if not related_obj: retVal['success'] = False retVal['message'] = 'Related Object not found.' return retVal actor.save(username=username) if related_obj and actor: relationship_type=RelationshipTypes.inverse(relationship=relationship_type) actor.add_relationship(related_obj, relationship_type, analyst=username, get_rels=False) actor.save(username=username) actor.reload() # run actor triage if is_item_new: actor.reload() run_triage(actor, user) resp_url = reverse('crits.actors.views.actor_detail', args=[actor.id]) retVal['message'] = ('Success! Click here to view the new Actor: ' '<a href="%s">%s</a>' % (resp_url, actor.name)) retVal['success'] = True retVal['object'] = actor retVal['id'] = str(actor.id) return retVal
def get_actor_details(id_, analyst): """ Generate the data to render the Actor details template. :param id_: The Actor ObjectId to get details for. :type actorip: str :param analyst: The user requesting this information. :type analyst: str :returns: template (str), arguments (dict) """ allowed_sources = user_sources(analyst) actor = Actor.objects(id=id_, source__name__in=allowed_sources).first() template = None args = {} if not actor: template = "error.html" error = ('Either no data exists for this Actor or you do not have' ' permission to view it.') args = {'error': error} else: actor.sanitize("%s" % analyst) # remove pending notifications for user remove_user_from_notification("%s" % analyst, actor.id, 'Actor') download_form = DownloadFileForm(initial={"obj_type": 'Actor', "obj_id": actor.id}) # generate identifiers actor_identifiers = actor.generate_identifiers_list(analyst) # subscription subscription = { 'type': 'Actor', 'id': actor.id, 'subscribed': is_user_subscribed("%s" % analyst, 'Actor', actor.id), } #objects objects = actor.sort_objects() #relationships relationships = actor.sort_relationships("%s" % analyst, meta=True) # relationship relationship = { 'type': 'Actor', 'value': actor.id } #comments comments = {'comments': actor.get_comments(), 'url_key': actor.id} #screenshots screenshots = actor.get_screenshots(analyst) # favorites favorite = is_user_favorite("%s" % analyst, 'Actor', actor.id) # services service_list = get_supported_services('Actor') # analysis results service_results = actor.get_analysis_results() args = {'actor_identifiers': actor_identifiers, 'objects': objects, 'download_form': download_form, 'relationships': relationships, 'relationship': relationship, 'subscription': subscription, 'favorite': favorite, 'service_list': service_list, 'service_results': service_results, 'screenshots': screenshots, 'actor': actor, 'actor_id': id_, 'comments': comments} return template, args
def class_from_value(type_, value): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param value: The value to search for. :type value: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # doing this to avoid circular imports from crits.actors.actor import ActorThreatIdentifier, Actor from crits.backdoors.backdoor import Backdoor from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event from crits.exploits.exploit import Exploit from crits.indicators.indicator import Indicator from crits.ips.ip import IP from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData from crits.samples.sample import Sample from crits.screenshots.screenshot import Screenshot from crits.signatures.signature import Signature from crits.targets.target import Target # Make sure value is a string... value = str(value) # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise # the queries below will raise a ValidationError exception. if (type_ in [ 'Backdoor', 'Comment', 'Event', 'Exploit', 'Indicator', 'Screenshot' ] and not ObjectId.is_valid(value.decode('utf8'))): return None if type_ == 'Actor': return Actor.objects(name=value).first() if type_ == 'Backdoor': return Backdoor.objects(id=value).first() elif type_ == 'ActorThreatIdentifier': return ActorThreatIdentifier.objects(name=value).first() elif type_ == 'Campaign': return Campaign.objects(name=value).first() elif type_ == 'Certificate': return Certificate.objects(md5=value).first() elif type_ == 'Comment': return Comment.objects(id=value).first() elif type_ == 'Domain': return Domain.objects(domain=value).first() elif type_ == 'Email': return Email.objects(message_id=value).first() elif type_ == 'Event': return Event.objects(id=value).first() elif type_ == 'Exploit': return Exploit.objects(id=value).first() elif type_ == 'Indicator': return Indicator.objects(id=value).first() elif type_ == 'IP': return IP.objects(ip=value).first() elif type_ == 'PCAP': return PCAP.objects(md5=value).first() elif type_ == 'RawData': return RawData.objects(md5=value).first() elif type_ == 'Sample': return Sample.objects(md5=value).first() elif type_ == 'Screenshot': return Screenshot.objects(id=value).first() elif type_ == 'Signature': return Signature.objects(md5=value).first() elif type_ == 'Target': target = Target.objects(email_address=value).first() if target: return target else: return Target.objects(email_address__iexact=value).first() else: return None
def class_from_id(type_, _id): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param _id: The ObjectId to search for. :type _id: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # doing this to avoid circular imports from crits.actors.actor import ActorThreatIdentifier, Actor from crits.backdoors.backdoor import Backdoor from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.core.crits_mongoengine import Action from crits.core.source_access import SourceAccess from crits.core.user_role import UserRole from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event from crits.exploits.exploit import Exploit from crits.indicators.indicator import Indicator from crits.ips.ip import IP from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData, RawDataType from crits.samples.sample import Sample from crits.screenshots.screenshot import Screenshot from crits.signatures.signature import Signature, SignatureType, SignatureDependency from crits.targets.target import Target if not _id: return None # make sure it's a string _id = str(_id) # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise # the queries below will raise a ValidationError exception. if not ObjectId.is_valid(_id.decode('utf8')): return None if type_ == 'Actor': return Actor.objects(id=_id).first() elif type_ == 'Backdoor': return Backdoor.objects(id=_id).first() elif type_ == 'ActorThreatIdentifier': return ActorThreatIdentifier.objects(id=_id).first() elif type_ == 'Campaign': return Campaign.objects(id=_id).first() elif type_ == 'Certificate': return Certificate.objects(id=_id).first() elif type_ == 'Comment': return Comment.objects(id=_id).first() elif type_ == 'Domain': return Domain.objects(id=_id).first() elif type_ == 'Email': return Email.objects(id=_id).first() elif type_ == 'Event': return Event.objects(id=_id).first() elif type_ == 'Exploit': return Exploit.objects(id=_id).first() elif type_ == 'Indicator': return Indicator.objects(id=_id).first() elif type_ == 'Action': return Action.objects(id=_id).first() elif type_ == 'IP': return IP.objects(id=_id).first() elif type_ == 'PCAP': return PCAP.objects(id=_id).first() elif type_ == 'RawData': return RawData.objects(id=_id).first() elif type_ == 'RawDataType': return RawDataType.objects(id=_id).first() elif type_ == 'Sample': return Sample.objects(id=_id).first() elif type_ == 'Signature': return Signature.objects(id=_id).first() elif type_ == 'SignatureType': return SignatureType.objects(id=_id).first() elif type_ == 'SignatureDependency': return SignatureDependency.objects(id=_id).first() elif type_ == 'SourceAccess': return SourceAccess.objects(id=_id).first() elif type_ == 'Screenshot': return Screenshot.objects(id=_id).first() elif type_ == 'Target': return Target.objects(id=_id).first() elif type_ == 'UserRole': return UserRole.objects(id=_id).first() else: return None
def get_actor_details(id_, analyst): """ Generate the data to render the Actor details template. :param id_: The Actor ObjectId to get details for. :type actorip: str :param analyst: The user requesting this information. :type analyst: str :returns: template (str), arguments (dict) """ allowed_sources = user_sources(analyst) actor = Actor.objects(id=id_, source__name__in=allowed_sources).first() template = None args = {} if not actor: template = "error.html" error = ('Either no data exists for this Actor or you do not have' ' permission to view it.') args = {'error': error} else: actor.sanitize("%s" % analyst) # remove pending notifications for user remove_user_from_notification("%s" % analyst, actor.id, 'Actor') download_form = DownloadFileForm(initial={ "obj_type": 'Actor', "obj_id": actor.id }) # generate identifiers actor_identifiers = actor.generate_identifiers_list(analyst) # subscription subscription = { 'type': 'Actor', 'id': actor.id, 'subscribed': is_user_subscribed("%s" % analyst, 'Actor', actor.id), } #objects objects = actor.sort_objects() #relationships relationships = actor.sort_relationships("%s" % analyst, meta=True) # relationship relationship = {'type': 'Actor', 'value': actor.id} #comments comments = {'comments': actor.get_comments(), 'url_key': actor.id} #screenshots screenshots = actor.get_screenshots(analyst) # favorites favorite = is_user_favorite("%s" % analyst, 'Actor', actor.id) # services service_list = get_supported_services('Actor') # analysis results service_results = actor.get_analysis_results() args = { 'actor_identifiers': actor_identifiers, 'objects': objects, 'download_form': download_form, 'relationships': relationships, 'relationship': relationship, 'subscription': subscription, 'favorite': favorite, 'service_list': service_list, 'service_results': service_results, 'screenshots': screenshots, 'actor': actor, 'actor_id': id_, 'comments': comments } return template, args
def add_new_actor(name, aliases=None, description=None, source=None, source_method='', source_reference='', campaign=None, confidence=None, analyst=None, bucket_list=None, ticket=None): """ Add an Actor to CRITs. :param name: The name of the Actor. :type name: str :param aliases: Aliases for the actor. :type aliases: list or str :param description: Description of the actor. :type description: str :param source: Name of the source which provided this information. :type source: str :param source_method: Method of acquiring this data. :type source_method: str :param source_reference: A reference to this data. :type source_reference: str :param campaign: A campaign to attribute to this actor. :type campaign: str :param confidence: Confidence level in the campaign attribution. :type confidence: str ("low", "medium", "high") :param analyst: The user adding this actor. :type analyst: str :param bucket_list: Buckets to assign to this actor. :type bucket_list: str :param ticket: Ticket to assign to this actor. :type ticket: str :returns: dict with keys: "success" (boolean), "message" (str), "object" (if successful) :class:`crits.actors.actor.Actor` """ is_item_new = False retVal = {} actor = Actor.objects(name=name).first() if not actor: actor = Actor() actor.name = name if description: actor.description = description.strip() is_item_new = True if isinstance(source, basestring): source = [ create_embedded_source(source, reference=source_reference, method=source_method, analyst=analyst) ] if isinstance(campaign, basestring): c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=analyst) campaign = [c] if campaign: for camp in campaign: actor.add_campaign(camp) if source: for s in source: actor.add_source(s) else: return {"success": False, "message": "Missing source information."} if not isinstance(aliases, list): aliases = aliases.split(',') for alias in aliases: alias = alias.strip() if alias not in actor.aliases: actor.aliases.append(alias) if bucket_list: actor.add_bucket_list(bucket_list, analyst) if ticket: actor.add_ticket(ticket, analyst) actor.save(username=analyst) # run actor triage if is_item_new: actor.reload() run_triage(actor, analyst) resp_url = reverse('crits.actors.views.actor_detail', args=[actor.id]) retVal['message'] = ('Success! Click here to view the new Actor: ' '<a href="%s">%s</a>' % (resp_url, actor.name)) retVal['success'] = True retVal['object'] = actor retVal['id'] = str(actor.id) return retVal
def class_from_id(type_, _id): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param _id: The ObjectId to search for. :type _id: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # doing this to avoid circular imports from crits.actors.actor import ActorThreatIdentifier, Actor from crits.backdoors.backdoor import Backdoor from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.core.source_access import SourceAccess from crits.core.user_role import UserRole from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event from crits.exploits.exploit import Exploit from crits.indicators.indicator import Indicator, IndicatorAction from crits.ips.ip import IP from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData, RawDataType from crits.samples.sample import Sample from crits.screenshots.screenshot import Screenshot from crits.targets.target import Target if not _id: return None # make sure it's a string _id = str(_id) # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise # the queries below will raise a ValidationError exception. if not ObjectId.is_valid(_id.decode('utf8')): return None if type_ == 'Actor': return Actor.objects(id=_id).first() elif type_ == 'Backdoor': return Backdoor.objects(id=_id).first() elif type_ == 'ActorThreatIdentifier': return ActorThreatIdentifier.objects(id=_id).first() elif type_ == 'Campaign': return Campaign.objects(id=_id).first() elif type_ == 'Certificate': return Certificate.objects(id=_id).first() elif type_ == 'Comment': return Comment.objects(id=_id).first() elif type_ == 'Domain': return Domain.objects(id=_id).first() elif type_ == 'Email': return Email.objects(id=_id).first() elif type_ == 'Event': return Event.objects(id=_id).first() elif type_ == 'Exploit': return Exploit.objects(id=_id).first() elif type_ == 'Indicator': return Indicator.objects(id=_id).first() elif type_ == 'IndicatorAction': return IndicatorAction.objects(id=_id).first() elif type_ == 'IP': return IP.objects(id=_id).first() elif type_ == 'PCAP': return PCAP.objects(id=_id).first() elif type_ == 'RawData': return RawData.objects(id=_id).first() elif type_ == 'RawDataType': return RawDataType.objects(id=_id).first() elif type_ == 'Sample': return Sample.objects(id=_id).first() elif type_ == 'SourceAccess': return SourceAccess.objects(id=_id).first() elif type_ == 'Screenshot': return Screenshot.objects(id=_id).first() elif type_ == 'Target': return Target.objects(id=_id).first() elif type_ == 'UserRole': return UserRole.objects(id=_id).first() else: return None
def add_new_actor(name, aliases=None, description=None, source=None, source_method='', source_reference='', campaign=None, confidence=None, analyst=None, bucket_list=None, ticket=None): """ Add an Actor to CRITs. :param name: The name of the Actor. :type name: str :param aliases: Aliases for the actor. :type aliases: list or str :param description: Description of the actor. :type description: str :param source: Name of the source which provided this information. :type source: str :param source_method: Method of acquiring this data. :type source_method: str :param source_reference: A reference to this data. :type source_reference: str :param campaign: A campaign to attribute to this actor. :type campaign: str :param confidence: Confidence level in the campaign attribution. :type confidence: str ("low", "medium", "high") :param analyst: The user adding this actor. :type analyst: str :param bucket_list: Buckets to assign to this actor. :type bucket_list: str :param ticket: Ticket to assign to this actor. :type ticket: str :returns: dict with keys: "success" (boolean), "message" (str), "object" (if successful) :class:`crits.actors.actor.Actor` """ is_item_new = False retVal = {} actor = Actor.objects(name=name).first() if not actor: actor = Actor() actor.name = name if description: actor.description = description.strip() is_item_new = True if isinstance(source, basestring): source = [create_embedded_source(source, reference=source_reference, method=source_method, analyst=analyst)] if isinstance(campaign, basestring): c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=analyst) campaign = [c] if campaign: for camp in campaign: actor.add_campaign(camp) if source: for s in source: actor.add_source(s) else: return {"success" : False, "message" : "Missing source information."} if not isinstance(aliases, list): aliases = aliases.split(',') for alias in aliases: alias = alias.strip() if alias not in actor.aliases: actor.aliases.append(alias) if bucket_list: actor.add_bucket_list(bucket_list, analyst) if ticket: actor.add_ticket(ticket, analyst) actor.save(username=analyst) # run actor triage if is_item_new: actor.reload() run_triage(actor, analyst) resp_url = reverse('crits.actors.views.actor_detail', args=[actor.id]) retVal['message'] = ('Success! Click here to view the new Actor: ' '<a href="%s">%s</a>' % (resp_url, actor.name)) retVal['success'] = True retVal['object'] = actor retVal['id'] = str(actor.id) return retVal
def class_from_id(type_, _id): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param _id: The ObjectId to search for. :type _id: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # Quick fail if not _id or not type_: return None # doing this to avoid circular imports from crits.actors.actor import ActorThreatIdentifier, Actor from crits.backdoors.backdoor import Backdoor from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.core.crits_mongoengine import Action from crits.core.source_access import SourceAccess from crits.core.user_role import UserRole from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event from crits.exploits.exploit import Exploit from crits.indicators.indicator import Indicator from crits.ips.ip import IP from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData, RawDataType from crits.samples.sample import Sample from crits.screenshots.screenshot import Screenshot from crits.signatures.signature import Signature, SignatureType, SignatureDependency from crits.targets.target import Target # make sure it's a string _id = str(_id) # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise # the queries below will raise a ValidationError exception. if not ObjectId.is_valid(_id.decode("utf8")): return None if type_ == "Actor": return Actor.objects(id=_id).first() elif type_ == "Backdoor": return Backdoor.objects(id=_id).first() elif type_ == "ActorThreatIdentifier": return ActorThreatIdentifier.objects(id=_id).first() elif type_ == "Campaign": return Campaign.objects(id=_id).first() elif type_ == "Certificate": return Certificate.objects(id=_id).first() elif type_ == "Comment": return Comment.objects(id=_id).first() elif type_ == "Domain": return Domain.objects(id=_id).first() elif type_ == "Email": return Email.objects(id=_id).first() elif type_ == "Event": return Event.objects(id=_id).first() elif type_ == "Exploit": return Exploit.objects(id=_id).first() elif type_ == "Indicator": return Indicator.objects(id=_id).first() elif type_ == "Action": return Action.objects(id=_id).first() elif type_ == "IP": return IP.objects(id=_id).first() elif type_ == "PCAP": return PCAP.objects(id=_id).first() elif type_ == "RawData": return RawData.objects(id=_id).first() elif type_ == "RawDataType": return RawDataType.objects(id=_id).first() elif type_ == "Sample": return Sample.objects(id=_id).first() elif type_ == "Signature": return Signature.objects(id=_id).first() elif type_ == "SignatureType": return SignatureType.objects(id=_id).first() elif type_ == "SignatureDependency": return SignatureDependency.objects(id=_id).first() elif type_ == "SourceAccess": return SourceAccess.objects(id=_id).first() elif type_ == "Screenshot": return Screenshot.objects(id=_id).first() elif type_ == "Target": return Target.objects(id=_id).first() elif type_ == "UserRole": return UserRole.objects(id=_id).first() else: return None
def generate_actor_identifier_jtable(request, option): """ Generate the jtable data for rendering in the list template. :param request: The request for this jtable. :type request: :class:`django.http.HttpRequest` :param option: Action to take. :type option: str of either 'jtlist', 'jtdelete', or 'inline'. :returns: :class:`django.http.HttpResponse` """ obj_type = ActorIdentifier type_ = "actor_identifier" mapper = obj_type._meta['jtable_opts'] if option == "jtlist": # Sets display url details_url = mapper['details_url'] details_url_key = mapper['details_url_key'] fields = mapper['fields'] response = jtable_ajax_list(obj_type, details_url, details_url_key, request, includes=fields) return HttpResponse(json.dumps(response, default=json_handler), content_type="application/json") if option == "jtdelete": response = {"Result": "ERROR"} if jtable_ajax_delete(obj_type, request): obj_id = request.POST.get('id', None) if obj_id: # Remove this identifier from any Actors who reference it. Actor.objects(identifiers__identifier_id=obj_id)\ .update(pull__identifiers__identifier_id=obj_id) response = {"Result": "OK"} return HttpResponse(json.dumps(response, default=json_handler), content_type="application/json") jtopts = { 'title': "Actor Identifiers", 'default_sort': mapper['default_sort'], 'listurl': reverse('crits.actors.views.%ss_listing' % (type_), args=('jtlist', )), 'deleteurl': reverse('crits.actors.views.%ss_listing' % (type_), args=('jtdelete', )), 'searchurl': reverse(mapper['searchurl']), 'fields': mapper['jtopts_fields'], 'hidden_fields': mapper['hidden_fields'], 'linked_fields': mapper['linked_fields'], 'details_link': mapper['details_link'], 'no_sort': mapper['no_sort'] } jtable = build_jtable(jtopts, request) for field in jtable['fields']: if field['fieldname'] == "'name'": url = reverse('crits.actors.views.actors_listing') field['display'] = """ function (data) { return '<a href="%s?q='+data.record.id+'&search_type=actor_identifier&force_full=1">'+data.record.name+'</a>'; } """ % url break jtable['toolbar'] = [ { 'tooltip': "'Add Actor Identifier'", 'text': "'Add Actor Identifier'", 'click': "function () {$('#new-actor-identifier').click()}", }, ] if option == "inline": return render_to_response( "jtable.html", { 'jtable': jtable, 'jtid': '%s_listing' % type_, 'button': '%ss_tab' % type_ }, RequestContext(request)) else: return render_to_response("%s_listing.html" % type_, { 'jtable': jtable, 'jtid': '%s_listing' % type_ }, RequestContext(request))