def create_intrusion_set(
name: str,
intrusion_set_id: Optional[str] = None,
created_by: Optional[Identity] = None,
created: Optional[datetime] = None,
modified: Optional[datetime] = None,
description: Optional[str] = None,
aliases: Optional[List[str]] = None,
first_seen: Optional[datetime] = None,
last_seen: Optional[datetime] = None,
goals: Optional[List[str]] = None,
resource_level: Optional[str] = None,
primary_motivation: Optional[str] = None,
secondary_motivations: Optional[List[str]] = None,
labels: Optional[List[str]] = None,
confidence: Optional[int] = None,
external_references: Optional[List[ExternalReference]] = None,
object_markings: Optional[List[MarkingDefinition]] = None,
) -> IntrusionSet:
"""Create a intrusion set."""
if intrusion_set_id is None:
intrusion_set_id = _create_random_identifier("intrusion-set")
return IntrusionSet(
id=intrusion_set_id,
created_by_ref=created_by,
created=created,
modified=modified,
name=name,
description=description,
aliases=aliases,
first_seen=first_seen,
last_seen=last_seen,
goals=goals,
resource_level=resource_level,
primary_motivation=primary_motivation,
secondary_motivations=secondary_motivations,
labels=labels,
confidence=confidence,
external_references=external_references,
object_marking_refs=object_markings,
)
def amitt_intrusion_set(self):
"""
"""
intrusion_sets = self.intrusionsets.itertuples()
for i in intrusion_sets:
if i.id == "I00000":
continue
external_references = []
if i.type == "intrusion-set":
refs = self.parse_xlsx_reference_tuples(i.references)
for ref in refs:
try:
reference = ExternalReference(
source_name=ref[1],
url=ref[2],
external_id=ref[0]
)
external_references.append(reference)
except IndexError:
pass
try:
created_date = datetime.strptime(i.whenAdded, "%Y-%m-%d")
except:
created_date = datetime.now()
intrusion_set = IntrusionSet(
name=i.name,
description=i.summary,
first_seen=datetime.strptime(str(int(i.firstSeen)), "%Y"),
created=created_date,
custom_properties={
# "x_published": i.whenAdded,
# "x_source": i.sourceCountry,
# "x_target": i.targetCountry,
"x_identified_via": i.foundVia
},
external_references=external_references
)
self.stix_objects.append(intrusion_set)
self.stix_intrusion_set_uuid[i.id] = intrusion_set.id
def create_intrusion_set(
name: str,
aliases: List[str],
author: Identity,
primary_motivation: Optional[str],
secondary_motivations: List[str],
external_references: List[ExternalReference],
object_marking_refs: List[MarkingDefinition],
) -> IntrusionSet:
"""Create an intrusion set."""
return IntrusionSet(
created_by_ref=author,
name=name,
aliases=aliases,
primary_motivation=primary_motivation,
secondary_motivations=secondary_motivations,
labels=["intrusion-set"],
external_references=external_references,
object_marking_refs=object_marking_refs,
)
def _create_intrusion_set(self) -> IntrusionSet:
external_references = self._create_external_references()
name = self.actor.name
if name is None:
name = f"NO_ACTOR_NAME{self.actor.id}"
alias = name.replace(" ", "")
aliases = [alias]
known_as = self.actor.known_as
for known_alias in known_as.split(","):
aliases.append(known_alias.strip())
description = "NO DESCRIPTION"
if self.actor.description is not None and self.actor.description:
description = self.actor.description
elif self.actor.rich_text_description is not None:
description = remove_html_tags(self.actor.rich_text_description)
elif self.actor.short_description is not None:
description = self.actor.short_description
intrusion_set = IntrusionSet(
created_by_ref=self.author,
name=name,
description=description,
aliases=aliases,
first_seen=self.first_seen,
last_seen=self.last_seen,
labels=["intrusion-set"],
external_references=external_references,
object_marking_refs=self.object_marking_refs,
custom_properties={
CustomProperties.ALIASES: aliases,
CustomProperties.FIRST_SEEN: self.first_seen,
CustomProperties.LAST_SEEN: self.last_seen,
},
)
return intrusion_set
def prepare_elements(self, galaxies, author):
elements = {
"intrusion_sets": [],
"malwares": [],
"tools": [],
"attack_patterns": [],
}
added_names = []
for galaxy in galaxies:
# Get the linked intrusion sets
if (
(
galaxy["namespace"] == "mitre-attack"
and galaxy["name"] == "Intrusion Set"
)
or (galaxy["namespace"] == "misp" and galaxy["name"] == "Threat Actor")
or (
galaxy["namespace"] == "misp"
and galaxy["name"] == "Microsoft Activity Group actor"
)
):
for galaxy_entity in galaxy["GalaxyCluster"]:
if " - G" in galaxy_entity["value"]:
name = galaxy_entity["value"].split(" - G")[0]
elif "APT " in galaxy_entity["value"]:
name = galaxy_entity["value"].replace("APT ", "APT")
else:
name = galaxy_entity["value"]
if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]:
aliases = galaxy_entity["meta"]["synonyms"]
else:
aliases = [name]
if name not in added_names:
elements["intrusion_sets"].append(
IntrusionSet(
name=name,
labels=["intrusion-set"],
description=galaxy_entity["description"],
created_by_ref=author,
custom_properties={"x_opencti_aliases": aliases},
)
)
added_names.append(name)
# Get the linked malwares
if (
(galaxy["namespace"] == "mitre-attack" and galaxy["name"] == "Malware")
or (galaxy["namespace"] == "misp" and galaxy["name"] == "Tool")
or (galaxy["namespace"] == "misp" and galaxy["name"] == "Ransomware")
or (galaxy["namespace"] == "misp" and galaxy["name"] == "Android")
or (galaxy["namespace"] == "misp" and galaxy["name"] == "Malpedia")
):
for galaxy_entity in galaxy["GalaxyCluster"]:
if " - S" in galaxy_entity["value"]:
name = galaxy_entity["value"].split(" - S")[0]
else:
name = galaxy_entity["value"]
if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]:
aliases = galaxy_entity["meta"]["synonyms"]
else:
aliases = [name]
if name not in added_names:
elements["malwares"].append(
Malware(
name=name,
labels=["malware"],
description=galaxy_entity["description"],
created_by_ref=author,
custom_properties={"x_opencti_aliases": aliases},
)
)
added_names.append(name)
# Get the linked tools
if galaxy["namespace"] == "mitre-attack" and galaxy["name"] == "Tool":
for galaxy_entity in galaxy["GalaxyCluster"]:
if " - S" in galaxy_entity["value"]:
name = galaxy_entity["value"].split(" - S")[0]
else:
name = galaxy_entity["value"]
if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]:
aliases = galaxy_entity["meta"]["synonyms"]
else:
aliases = [name]
if name not in added_names:
elements["tools"].append(
Tool(
name=name,
labels=["tool"],
description=galaxy_entity["description"],
created_by_ref=author,
custom_properties={"x_opencti_aliases": aliases},
)
)
added_names.append(name)
# Get the linked attack_patterns
if (
galaxy["namespace"] == "mitre-attack"
and galaxy["name"] == "Attack Pattern"
):
for galaxy_entity in galaxy["GalaxyCluster"]:
if " - T" in galaxy_entity["value"]:
name = galaxy_entity["value"].split(" - T")[0]
else:
name = galaxy_entity["value"]
if "meta" in galaxy_entity and "synonyms" in galaxy_entity["meta"]:
aliases = galaxy_entity["meta"]["synonyms"]
else:
aliases = [name]
if name not in added_names:
elements["attack_patterns"].append(
AttackPattern(
name=name,
labels=["attack-pattern"],
description=galaxy_entity["description"],
created_by_ref=author,
custom_properties={
"x_opencti_external_id": galaxy_entity["meta"][
"external_id"
][0],
"x_opencti_aliases": aliases,
},
)
)
added_names.append(name)
return elements
def prepare_elements(self, galaxies):
elements = {'intrusion_sets': [], 'malwares': [], 'tools': [], 'attack_patterns': []}
added_names = []
for galaxy in galaxies:
# Get the linked intrusion sets
if (
(galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Intrusion Set') or
(galaxy['namespace'] == 'misp' and galaxy['name'] == 'Threat Actor') or
(galaxy['namespace'] == 'misp' and galaxy['name'] == 'Microsoft Activity Group actor')
):
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - G' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - G')[0]
elif 'APT ' in galaxy_entity['value']:
name = galaxy_entity['value'].replace('APT ', 'APT')
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
if name not in added_names:
elements['intrusion_sets'].append(IntrusionSet(
name=name,
labels=['intrusion-set'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}
))
added_names.append(name)
# Get the linked malwares
if (
(galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Malware') or
(galaxy['namespace'] == 'misp' and galaxy['name'] == 'Tool') or
(galaxy['namespace'] == 'misp' and galaxy['name'] == 'Ransomware') or
(galaxy['namespace'] == 'misp' and galaxy['name'] == 'Android') or
(galaxy['namespace'] == 'misp' and galaxy['name'] == 'Malpedia')
):
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - S' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - S')[0]
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
if name not in added_names:
elements['malwares'].append(Malware(
name=name,
labels=['malware'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}
))
added_names.append(name)
# Get the linked tools
if (
(galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Tool')
):
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - S' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - S')[0]
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
if name not in added_names:
elements['tools'].append(Tool(
name=name,
labels=['tool'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}
))
added_names.append(name)
# Get the linked attack_patterns
if (
(galaxy['namespace'] == 'mitre-attack' and galaxy['name'] == 'Attack Pattern')
):
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - T' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - T')[0]
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity['meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
if name not in added_names:
elements['attack_patterns'].append(AttackPattern(
name=name,
labels=['attack-pattern'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_external_id': galaxy_entity['meta']['external_id'][0],
'x_opencti_aliases': aliases,
}
))
added_names.append(name)
return elements
def prepare_threats(self, galaxies):
threats = []
for galaxy in galaxies:
# MITRE galaxies
if galaxy['namespace'] == 'mitre-attack':
if galaxy['name'] == 'Intrusion Set':
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - G' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - G')[0]
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
IntrusionSet(
name=name,
labels=['intrusion-set'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
if galaxy['name'] == 'Malware':
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - S' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - S')[0]
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
Malware(name=name,
labels=['malware'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
if galaxy['name'] == 'Tool':
for galaxy_entity in galaxy['GalaxyCluster']:
if ' - S' in galaxy_entity['value']:
name = galaxy_entity['value'].split(' - S')[0]
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
Tool(name=name,
labels=['tool'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
if galaxy['namespace'] == 'misp':
if galaxy['name'] == 'Threat Actor':
for galaxy_entity in galaxy['GalaxyCluster']:
if 'APT ' in galaxy_entity['value']:
name = galaxy_entity['value'].replace(
'APT ', 'APT')
else:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
IntrusionSet(
name=name,
labels=['intrusion-set'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
if galaxy['name'] == 'Tool':
for galaxy_entity in galaxy['GalaxyCluster']:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
Malware(name=name,
labels=['malware'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
if galaxy['name'] == 'Ransomware':
for galaxy_entity in galaxy['GalaxyCluster']:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
Malware(name=name,
labels=['malware'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
if galaxy['name'] == 'Malpedia':
for galaxy_entity in galaxy['GalaxyCluster']:
name = galaxy_entity['value']
if 'meta' in galaxy_entity and 'synonyms' in galaxy_entity[
'meta']:
aliases = galaxy_entity['meta']['synonyms']
else:
aliases = [name]
threats.append(
Malware(name=name,
labels=['malware'],
description=galaxy_entity['description'],
custom_properties={
'x_opencti_aliases': aliases
}))
return threats
