def transform(addsec_data):
#
# Parse the Addition Security protobuf object, which contains a STIX report representation
#
as_report = addsec_cti_pb2.Report()
as_report.ParseFromString(addsec_data)
#
# Create a new STIX package & report container
#
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.description = "Addition Security Report"
stix_report = Report()
#
# Addition Security includes various identification information re: the entity of the report.
# We are going to convert it into three CybOX objects: Product, Device, and Custom
#
cybox_product = Product()
cybox_product.product = "MobileAwareness"
cybox_product.vendor = "Addition Security"
cybox_device = Device()
cybox_device.device_type = "Mobile Device"
cybox_custom_sourceapp = Custom()
cybox_custom_sourceapp.custom_name = "addsec:sourceApplication"
cybox_custom_sourceapp.custom_properties = CustomProperties()
p = Property()
p.name = "organizationId"
p.value = as_report.organizationId.encode(
'hex') # NOTE: this is binary bytes
cybox_custom_sourceapp.custom_properties.append(p)
p = Property()
p.name = "application"
p.value = as_report.applicationId # NOTE: bundleId/packageId of hosting app
cybox_custom_sourceapp.custom_properties.append(p)
p = Property()
p.name = "instanceId"
p.value = as_report.systemId.encode('hex') # NOTE: this is binary bytes
cybox_custom_sourceapp.custom_properties.append(p)
stix_report.add_observable(cybox_product)
stix_report.add_observable(cybox_device)
stix_report.add_observable(cybox_custom_sourceapp)
#
# Enumerate the Addition Security reported sightings
#
for as_sighting in as_report.observations:
#
# Addition Security lets customers transit custom messages over the reporting channel; these
# messages show up as a "Customer Message" indicator with string-based payload. Since these
# messages are both proprietary in nature and potentially unrelated to STIX, we are going to
# filter them out from this processing.
#
if as_sighting.observationType == 8: continue # 8: CustomerData
#
# Sightings are used to report device information as well; let's expel device-related
# sightings and re-route their data into the CybOX device object (instead of including
# as an indicator w/ sighting)
#
if as_sighting.testId == 1 or as_sighting.testId == 2: #
addsec_to_cybox_device(cybox_device, as_sighting)
continue
# Ditto for reported product information as well
if as_sighting.testId == 8: # 8: SDKVersionInfo
addsec_to_cybox_product(cybox_product, as_sighting)
continue
#
# Compose a STIX-appropriate indicator value from the Addition Security indicator ID & SubID
#
indicator_id = "addsec:asma-%d-%d" % (as_sighting.testId,
as_sighting.testSubId)
stix_indicator = Indicator(id_=indicator_id)
stix_indicator.title = addsec_title_lookup(as_sighting.testId,
as_sighting.testSubId)
#
# Create a sighting for this indicator
#
stix_sighting = Sighting()
stix_indicator.sightings = stix_sighting
stix_sighting.timestamp = datetime.datetime.fromtimestamp(
as_sighting.timestamp)
if as_sighting.confidence > 0:
stix_sighting.confidence = addsec_to_stix_confidence(
as_sighting.confidence)
#
# Enumerate the observables for this sighting
#
for as_observable in as_sighting.datas:
cybox_obj = addsec_to_cybox(as_observable.dataType,
as_observable.data)
if not cybox_obj is None:
stix_sighting.related_observables.append(
RelatedObservable(Observable(cybox_obj)))
#
# Finally, add this indicator (w/ sightings & related observables) to the top level report
#
stix_report.add_indicator(stix_indicator)
#
# Finalize the STIX report and output the XML
#
stix_package.reports = stix_report
return stix_package.to_xml()
