class IndirectImpactSummary(stix.Entity): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.IndirectImpactSummaryType loss_of_competitive_advantage = vocabs.VocabField("Loss_Of_Competitive_Advantage", vocabs.SecurityCompromise) brand_and_market_damage = vocabs.VocabField("Brand_And_Market_Damage", vocabs.SecurityCompromise) increased_operating_costs = vocabs.VocabField("Increased_Operating_Costs", vocabs.SecurityCompromise) legal_and_regulatory_costs = vocabs.VocabField("Legal_And_Regulatory_Costs", vocabs.SecurityCompromise) def __init__(self): super(IndirectImpactSummary, self).__init__()
class PropertyAffected(stix.Entity): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.PropertyAffectedType property_ = vocabs.VocabField("Property", vocabs.LossProperty, key_name="property") descriptions_of_effect = fields.TypedField("Description_Of_Effect", StructuredTextList) type_of_availability_loss = vocabs.VocabField("Type_Of_Availability_Loss", vocabs.AvailabilityLossType) duration_of_availability_loss = vocabs.VocabField( "Duration_Of_Availability_Loss", vocabs.LossDuration) non_public_data_compromised = fields.TypedField( "Non_Public_Data_Compromised", NonPublicDataCompromised) def __init__(self): super(PropertyAffected, self).__init__() self.descriptions_of_effect = StructuredTextList() @property def description_of_effect(self): """A :class:`.StructuredTextList` object, containing descriptions about the purpose or intent of this object. Iterating over this object will yield its contents sorted by their ``ordinality`` value. Default Value: Empty :class:`.StructuredTextList` object. Note: IF this is set to a value that is not an instance of :class:`.StructuredText`, an effort will ne made to convert it. If this is set to an iterable, any values contained that are not an instance of :class:`.StructuredText` will be be converted. Returns: An instance of :class:`.StructuredTextList` """ return next(iter(self.descriptions_of_effect), None) @description_of_effect.setter def description_of_effect(self, value): self.descriptions_of_effect = value
class VictimTargeting(stix.Entity): _binding = ttp_binding _binding_class = _binding.VictimTargetingType _namespace = "http://stix.mitre.org/TTP-1" identity = fields.TypedField("Identity", Identity, factory=IdentityFactory) targeted_systems = vocabs.VocabField("Targeted_Systems", vocabs.SystemType, multiple=True) targeted_information = vocabs.VocabField("Targeted_Information", vocabs.InformationType, multiple=True) targeted_technical_details = fields.TypedField("Targeted_Technical_Details", Observables) def __init__(self): super(VictimTargeting, self).__init__() def add_targeted_system(self, system): self.targeted_systems.append(system) def add_targeted_information(self, targeted_information): self.targeted_information.append(targeted_information)
class ImpactAssessment(stix.Entity): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.ImpactAssessmentType direct_impact_summary = fields.TypedField("Direct_Impact_Summary", DirectImpactSummary) indirect_impact_summary = fields.TypedField("Indirect_Impact_Summary", IndirectImpactSummary) total_loss_estimation = fields.TypedField("Total_Loss_Estimation", TotalLossEstimation) impact_qualification = vocabs.VocabField("Impact_Qualification", vocabs.ImpactQualification) effects = fields.TypedField( "Effects", type_="stix.incident.impact_assessment.Effects") def __init__(self): super(ImpactAssessment, self).__init__() self.direct_impact_summary = None self.indirect_impact_summary = None self.total_loss_estimation = None self.impact_qualification = None self.effects = None
class AffectedAsset(stix.Entity): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.AffectedAssetType descriptions = fields.TypedField("Description", StructuredTextList) business_function_or_roles = fields.TypedField("Business_Function_Or_Role", StructuredTextList) ownership_class = vocabs.VocabField("Ownership_Class", vocabs.OwnershipClass) management_class = vocabs.VocabField("Management_Class", vocabs.ManagementClass) location_class = vocabs.VocabField("Location_Class", vocabs.LocationClass) # location = fields.TypedField("Location") nature_of_security_effect = fields.TypedField( "Nature_Of_Security_Effect", type_="stix.incident.affected_asset.NatureOfSecurityEffect") structured_description = fields.TypedField("Structured_Description", Observables) type_ = fields.TypedField("Type", type_="stix.incident.affected_asset.AssetType", key_name="type") def __init__(self): super(AffectedAsset, self).__init__() self.description = StructuredTextList() self.business_function_or_role = StructuredTextList() @property def description(self): """A single description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ return next(iter(self.descriptions), None) @description.setter def description(self, value): self.descriptions = value def add_description(self, description): """Adds a description to the ``descriptions`` collection. This is the same as calling "foo.descriptions.add(bar)". """ self.descriptions.add(description) @property def business_function_or_role(self): return next(iter(self.business_functions_or_roles), None) @business_function_or_role.setter def business_function_or_role(self, value): self.business_functions_or_roles = value def add_property_affected(self, v): self.nature_of_security_effect.append(v)
class Incident(stix.BaseCoreComponent): """Implementation of the STIX Incident. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref (optional): An identifier reference. If set this will unset the ``id_`` property. timestamp (optional): A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. description: A description of the purpose or intent of this object. short_description: A short description of the intent or purpose of this object. title: The title of this object. """ _binding = incident_binding _binding_class = _binding.IncidentType _namespace = "http://stix.mitre.org/Incident-1" _version = "1.2" _ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2") _ID_PREFIX = 'incident' status = vocabs.VocabField("Status", vocabs.IncidentStatus) time = fields.TypedField("Time", Time) victims = fields.TypedField("Victim", Identity, factory=IdentityFactory, multiple=True, key_name="victims") attributed_threat_actors = fields.TypedField("Attributed_Threat_Actors", type_="stix.incident.AttributedThreatActors") related_indicators = fields.TypedField("Related_Indicators", type_="stix.incident.RelatedIndicators") related_observables = fields.TypedField("Related_Observables", type_="stix.incident.RelatedObservables") related_incidents = fields.TypedField("Related_Incidents", type_="stix.incident.RelatedIncidents") related_packages = fields.TypedField("Related_Packages", RelatedPackageRefs) affected_assets = fields.TypedField("Affected_Assets", type_="stix.incident.AffectedAssets") categories = fields.TypedField("Categories", type_="stix.incident.IncidentCategories") intended_effects = StatementField("Intended_Effect", Statement, vocab_type=vocabs.IntendedEffect, multiple=True, key_name="intended_effects") leveraged_ttps = fields.TypedField("Leveraged_TTPs", type_="stix.incident.LeveragedTTPs") discovery_methods = vocabs.VocabField("Discovery_Method", vocabs.DiscoveryMethod, multiple=True, key_name="discovery_methods") reporter = fields.TypedField("Reporter", InformationSource) responders = fields.TypedField("Responder", InformationSource, multiple=True, key_name="responders") coordinators = fields.TypedField("Coordinator", InformationSource, multiple=True, key_name="coordinators") external_ids = fields.TypedField("External_ID", ExternalID, multiple=True, key_name="external_ids") impact_assessment = fields.TypedField("Impact_Assessment", ImpactAssessment) security_compromise = vocabs.VocabField("Security_Compromise", vocabs.SecurityCompromise) confidence = fields.TypedField("Confidence", Confidence) coa_taken = fields.TypedField("COA_Taken", COATaken, multiple=True) coa_requested = fields.TypedField("COA_Requested", COARequested, multiple=True) history = fields.TypedField("History", History) information_source = fields.TypedField("Information_Source", InformationSource) url = fields.TypedField("URL") contacts = fields.TypedField("Contact", InformationSource, multiple=True, key_name="contacts") def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): super(Incident, self).__init__( id_=id_, idref=idref, timestamp=timestamp, title=title, description=description, short_description=short_description ) self.related_indicators = RelatedIndicators() self.related_observables = RelatedObservables() self.related_incidents = RelatedIncidents() self.related_packages = RelatedPackageRefs() self.categories = IncidentCategories() self.affected_assets = AffectedAssets() self.leveraged_ttps = LeveragedTTPs() def add_intended_effect(self, value): """Adds a :class:`.Statement` object to the :attr:`intended_effects` collection. If `value` is a string, an attempt will be made to convert it into an instance of :class:`.Statement`. """ self.intended_effects.append(value) def add_leveraged_ttps(self, ttp): """Adds a :class:`.RelatedTTP` value to the :attr:`leveraged_ttps` collection. """ self.leveraged_ttps.append(ttp) def add_victim(self, victim): """Adds a :class:`.IdentityType` value to the :attr:`victims` collection. """ self.victims.append(victim) def add_category(self, category): """Adds a :class:`.VocabString` object to the :attr:`categories` collection. If `category` is a string, an attempt will be made to convert it into an instance of :class:`.IncidentCategory`. """ self.categories.append(category) def add_affected_asset(self, v): """Adds a :class:`.AffectedAsset` object to the :attr:`affected_assets` collection. """ self.affected_assets.append(v) def add_discovery_method(self, value): """Adds a :class:`.VocabString` object to the :attr:`discovery_methods` collection. If `value` is a string, an attempt will be made to convert it to an instance of :class:`.DiscoveryMethod`. """ self.discovery_methods.append(value) def add_responder(self, value): """Adds a :class:`.InformationSource` object to the :attr:`responders` collection. """ self.responders.append(value) def add_coordinator(self, value): """Adds a :class:`.InformationSource` object to the :attr:`coordinators` collection. """ self.coordinators.append(value) def add_external_id(self, value): """Adds a :class:`.ExternalID` object to the :attr:`external_ids` collection. """ self.external_ids.append(value) def add_coa_taken(self, value): """Adds a :class:`.COATaken` object to the :attr:`coas_taken` collection. """ self.coa_taken.append(value) def add_coa_requested(self, value): """Adds a :class:`.COARequested` object to the :attr:`coas_requested` collection. """ self.coa_requested.append(value) def add_related_indicator(self, value): """Adds an Related Indicator to the :attr:`related_indicators` list property of this :class:`Incident`. The `indicator` parameter must be an instance of :class:`.RelatedIndicator` or :class:`Indicator`. If the `indicator` parameter is ``None``, no item will be added to the ``related_indicators`` list property. Calling this method is the same as calling ``append()`` on the ``related_indicators`` property. See Also: The :class:`RelatedIndicators` documentation. Note: If the `indicator` parameter is not an instance of :class:`.RelatedIndicator` an attempt will be made to convert it to one. Args: indicator: An instance of :class:`Indicator` or :class:`.RelatedIndicator`. Raises: ValueError: If the `indicator` parameter cannot be converted into an instance of :class:`.RelatedIndicator` """ self.related_indicators.append(value) def add_related_observable(self, value): """Adds a Related Observable to the ``related_observables`` list property of this :class:`Incident`. The `observable` parameter must be an instance of :class:`.RelatedObservable` or :class:`Observable`. If the `observable` parameter is ``None``, no item will be added to the ``related_observables`` list property. Calling this method is the same as calling ``append()`` on the ``related_observables`` property. See Also: The :class:`RelatedObservables` documentation. Note: If the `observable` parameter is not an instance of :class:`.RelatedObservable` an attempt will be made to convert it to one. Args: observable: An instance of :class:`Observable` or :class:`.RelatedObservable`. Raises: ValueError: If the `value` parameter cannot be converted into an instance of :class:`.RelatedObservable` """ self.related_observables.append(value) def add_related_package(self, value): self.related_packages.append(value) def add_related_incidents(self, value): self.related_incidents.append(value)
class MalwareInstance(stix.Entity): _binding = ttp_binding _binding_class = _binding.MalwareInstanceType _namespace = "http://stix.mitre.org/TTP-1" _XSI_TYPE = None # defined by subclasses id_ = fields.IdField("id") idref = fields.IdrefField("idref") title = fields.TypedField("Title") descriptions = fields.TypedField("Description", type_="stix.common.StructuredTextList") short_descriptions = fields.TypedField( "Short_Description", type_="stix.common.StructuredTextList") names = vocabs.VocabField("Name", type_=VocabString, multiple=True, key_name="names") types = vocabs.VocabField("Type", type_=vocabs.MalwareType, multiple=True, key_name="types") def __init__(self, id_=None, idref=None, title=None, description=None, short_description=None): super(MalwareInstance, self).__init__() self.id_ = id_ self.idref = idref self.title = title self.description = StructuredTextList(description) self.short_description = StructuredTextList(short_description) @property def description(self): """A single description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ if self.descriptions is None: self.descriptions = StructuredTextList() return next(iter(self.descriptions), None) @description.setter def description(self, value): self.descriptions = value def add_description(self, description): """Adds a description to the ``descriptions`` collection. This is the same as calling "foo.descriptions.add(bar)". """ self.descriptions.add(description) @property def short_description(self): """A single short description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one short description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ if self.short_descriptions is None: self.short_descriptions = [] return next(iter(self.short_descriptions), None) @short_description.setter def short_description(self, value): self.short_descriptions = value def add_short_description(self, description): """Adds a description to the ``short_descriptions`` collection. This is the same as calling "foo.short_descriptions.add(bar)". """ self.short_descriptions.add(description) def add_name(self, name): self.names.append(name) def add_type(self, type_): self.types.append(type_) @staticmethod def lookup_class(xsi_type): if not xsi_type: raise ValueError("xsi:type is required") return stix.lookup_extension(xsi_type)