def _add_stix_indicators(self, final_indicator_objects, ttp_id): """Create and add STIX Indicators for a list of Object History entries. Link each Indicator to their Indicated TTP. Note: Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class member. Args: final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing the final, pruned list of Objects to be used in the STIX Indicators. ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP. """ object_values_list = [] actions_list = [] final_object_list = [] # Deduplicate the Objects and combine their Actions for entry in final_indicator_objects: object = entry.object # Test if we've already created an Indicator for this Object obj_values = BundleDeduplicator.get_object_values(object) if obj_values not in object_values_list: object_values_list.append(obj_values) final_object_list.append(object) actions_list.append(entry.get_action_names()) else: object_index = object_values_list.index(obj_values) existing_actions = actions_list[object_index] existing_actions += entry.get_action_names() # Create the STIX Indicators for object in final_object_list: object_index = final_object_list.index(object) indicator = Indicator() indicator.title = "Malware Artifact Extracted from MAEC Document" indicator.add_indicator_type("Malware Artifacts") indicator.add_observable(object.properties) # Add the Action-derived description to the Indicator description = "Corresponding Action(s): " for action_name in actions_list[object_index]: description += (action_name + ", ") indicator.description = description[:-2] # Set the proper Confidence on the Indicator confidence = Confidence() confidence.value = "Low" confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage." indicator.confidence = confidence # Link the Indicator to its Indicated TTP ttp = TTP(idref=ttp_id) indicator.add_indicated_ttp(ttp) # Add the Indicator to the STIX Package self.stix_package.add_indicator(indicator)
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.types = _Types.from_dict(get('types')) return_obj.motivations = _Motivations.from_dict(get('motivations')) return_obj.sophistications = _Sophistications.from_dict( get('sophistications')) return_obj.intended_effects = _IntendedEffects.from_dict( get('intended_effects')) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports')) return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict( get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict( get('associated_actors')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.related_packages = RelatedPackageRefs.from_dict( get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = _Types.from_obj(obj.Type) return_obj.motivations = _Motivations.from_obj(obj.Motivation) return_obj.sophistications = _Sophistications.from_obj( obj.Sophistication) return_obj.intended_effects = _IntendedEffects.from_obj( obj.Intended_Effect) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support) return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj( obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj( obj.Associated_Actors) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.related_packages = RelatedPackageRefs.from_obj( obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Indicator, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.negate = get('negate') return_obj.alternative_id = get('alternative_id') return_obj.indicated_ttps = _IndicatedTTPs.from_dict(get('indicated_ttps')) return_obj.test_mechanisms = TestMechanisms.from_list(get('test_mechanisms')) return_obj.suggested_coas = SuggestedCOAs.from_dict(get('suggested_coas')) return_obj.sightings = Sightings.from_dict(get('sightings')) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(get('composite_indicator_expression')) return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(get('kill_chain_phases')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.likely_impact = Statement.from_dict(get('likely_impact')) return_obj.indicator_types = IndicatorTypes.from_list(get('indicator_types')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.valid_time_positions = _ValidTimePositions.from_dict(get('valid_time_positions')) return_obj.observable = Observable.from_dict(get('observable')) return_obj.producer = InformationSource.from_dict(get('producer')) return_obj.related_campaigns = RelatedCampaignRefs.from_dict(get('related_campaigns')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = [Statement.from_obj(x) for x in obj.Type] return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation] return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Incident, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.time = Time.from_obj(obj.Time) return_obj.victims = _Victims.from_obj(obj.Victim) return_obj.categories = IncidentCategories.from_obj(obj.Categories) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets) return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method) return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return_obj.responders = _InformationSources.from_obj(obj.Responder) return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator) return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID) return_obj.reporter = InformationSource.from_obj(obj.Reporter) return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Campaign, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get # PEP 8 line lengths return_obj.names = Names.from_dict(get('names')) return_obj.intended_effects = \ _IntendedEffects.from_dict(get('intended_effects')) return_obj.status = VocabString.from_dict(get('status')) return_obj.related_ttps = \ RelatedTTPs.from_dict(get('related_ttps')) return_obj.related_incidents = \ RelatedIncidents.from_dict(get('related_incidents')) return_obj.related_indicators = \ RelatedIndicators.from_dict(get('related_indicators')) return_obj.attribution = _AttributionList.from_list(get('attribution')) return_obj.associated_campaigns = \ AssociatedCampaigns.from_dict(get('associated_campaigns')) return_obj.confidence = \ Confidence.from_dict(get('confidence')) return_obj.activity = _Activities.from_dict(get('activity')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def confidence(self, value): if not value: self._confidence = None elif isinstance(value, Confidence): self._confidence = value else: self._confidence = Confidence(value=value)
def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print pkg.to_xml()
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])] return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])] return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])] return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.planning_and_operational_supports = [Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', [])] return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.time = Time.from_dict(dict_repr.get('time')) return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])] return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])] return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents')) return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps')) return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])] return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])] return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter')) return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])] return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])] return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])] return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])] return return_obj
def generate_indicators(self, count): '''Generate a list of STIX Indicators''' indicators = [] for i in range(0, count): indicator = Indicator(title='Multiple indicator types') indicator.set_producer_identity(Identity(name='Secret Source')) indicator.set_produced_time(datetime.today()) indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration'])) indicator.add_short_description('Short description...') indicator.add_description('Long description...') indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown'])) kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES) indicator.kill_chain_phases = KillChainPhasesReference( [KillChainPhaseReference(name=kill_chain_phase.name)]) ips = self.gen_ips(randint(0, 5)) for ip in ips: indicator.add_observable(ip) # user_agents = self.gen_user_agents(randint(0, 5)) # for ua in user_agents: # indicator.add_observable(ua) # fqnds = self.gen_fqdns(randint(0, 5)) # for f in fqnds: # indicator.add_observable(f) # urls = self.gen_urls(randint(0, 5)) # for u in urls: # indicator.add_observable(u) indicators.append(indicator) return indicators
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Incident, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.time = Time.from_dict(get('time')) return_obj.victims = _Victims.from_dict(get('victims')) return_obj.categories = IncidentCategories.from_dict(get('categories')) return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents')) return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects')) return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps')) return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets')) return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods')) return_obj.reporter = InformationSource.from_dict(get('reporter')) return_obj.responders = _InformationSources.from_dict(get('responders')) return_obj.coordinators = _InformationSources.from_dict(get('coordinators')) return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids')) return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment')) return_obj.security_compromise = VocabString.from_dict(get('security_compromise')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken')) return_obj.coa_requested = _COAsRequested.from_dict(get('coa_requested')) return_obj.status = VocabString.from_dict(get('status')) return_obj.history = History.from_dict(get('history')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.get_version() if obj.get_version() else cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()] return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()] return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs()) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns()) return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def main(): file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' stix_header = STIXHeader( title="File Hash Reputation Service Results", package_intents=["Indicators - Malware Artifacts"]) stix_package = STIXPackage(stix_header=stix_header) indicator = Indicator( title= "File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ) indicator.add_indicator_type("File Hash Watchlist") file_object = File() file_object.add_hash(Hash(file_hash)) file_object.hashes[0].simple_hash_value.condition = "Equals" file_object.hashes[0].type_.condition = "Equals" indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(title="Malicious file")) indicator.confidence = Confidence(value=VocabString('75')) indicator.confidence.value.vocab_name = "Percentage" indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage" stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Incident, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.time = Time.from_obj(obj.Time) return_obj.victims = _Victims.from_obj(obj.Victim) return_obj.categories = IncidentCategories.from_obj(obj.Categories) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets) return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method) return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken) return_obj.coa_requested = _COAsRequested.from_obj(obj.COA_Requested) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.history = History.from_obj(obj.History) return_obj.responders = _InformationSources.from_obj(obj.Responder) return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator) return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID) return_obj.reporter = InformationSource.from_obj(obj.Reporter) return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Indicator, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.negate = obj.negate return_obj.producer = InformationSource.from_obj(obj.Producer) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.sightings = Sightings.from_obj(obj.Sightings) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.Composite_Indicator_Expression) return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.Kill_Chain_Phases) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.likely_impact = Statement.from_obj(obj.Likely_Impact) return_obj.indicator_types = IndicatorTypes.from_obj(obj.Type) return_obj.test_mechanisms = TestMechanisms.from_obj(obj.Test_Mechanisms) return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.Suggested_COAs) return_obj.alternative_id = obj.Alternative_ID return_obj.indicated_ttps = _IndicatedTTPs.from_obj(obj.Indicated_TTP) return_obj.valid_time_positions = _ValidTimePositions.from_obj(obj.Valid_Time_Position) return_obj.observable = Observable.from_obj(obj.Observable) return_obj.related_campaigns = RelatedCampaignRefs.from_obj(obj.Related_Campaigns) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.types = _Types.from_dict(get('types')) return_obj.motivations = _Motivations.from_dict(get('motivations')) return_obj.sophistications = _Sophistications.from_dict(get('sophistications')) return_obj.intended_effects = _IntendedEffects.from_dict(get('intended_effects')) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports')) return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(get('associated_actors')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Incident, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.time = Time.from_dict(get('time')) return_obj.victims = _Victims.from_dict(get('victims')) return_obj.categories = IncidentCategories.from_dict(get('categories')) return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents')) return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects')) return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps')) return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets')) return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods')) return_obj.reporter = InformationSource.from_dict(get('reporter')) return_obj.responders = _InformationSources.from_dict(get('responders')) return_obj.coordinators = _InformationSources.from_dict(get('coordinators')) return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids')) return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment')) return_obj.security_compromise = VocabString.from_dict(get('security_compromise')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken')) return_obj.status = VocabString.from_dict(get('status')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.history = History.from_dict(get('history')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Campaign, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.names = Names.from_obj(obj.Names) return_obj.intended_effects = \ _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.status = VocabString.from_obj(obj.Status) return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs) return_obj.related_incidents = \ RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.related_indicators = \ RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.attribution = _AttributionList.from_obj(obj.Attribution) return_obj.associated_campaigns = \ AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.activity = _Activities.from_obj(obj.Activity) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.applicability_confidence = Confidence.from_obj(obj.get_Applicability_Confidence()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.applicability_confidence = Confidence.from_obj(obj.Applicability_Confidence) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.descriptions = StructuredTextList.from_obj(obj.Description) return_obj.short_descriptions = StructuredTextList.from_obj(obj.Short_Description) return_obj.applicability_confidence = Confidence.from_obj(obj.Applicability_Confidence) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.applicability_confidence = Confidence.from_dict(dict_repr.get('applicability_confidence')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.time = Time.from_obj(obj.Time) if obj.Victim: return_obj.victims = [Identity.from_obj(x) for x in obj.Victim] if obj.Categories: return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category] if obj.Intended_Effect: return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] if obj.Affected_Assets: return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset] if obj.Discovery_Method: return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method] if obj.Reporter: return_obj.reporter = InformationSource.from_obj(obj.Reporter) if obj.Responder: return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder] if obj.Coordinator: return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator] if obj.External_ID: return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID] if obj.Impact_Assessment: return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) if obj.Information_Source: return_obj.information_source = InformationSource.from_obj(obj.Information_Source) if obj.Security_Compromise: return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken] return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return return_obj
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid print("confidence set to %s"%(str(breach.confidence.value))) breach._binding_class.xml_type = typeIncident print("incident set to %s"%(str(breach._binding_class.xml_type))) # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of Company Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.time = Time.from_obj(obj.get_Time()) if obj.get_Victim(): return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()] if obj.get_Categories(): return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()] if obj.get_Intended_Effect(): return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] if obj.get_Affected_Assets(): return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()] if obj.get_Discovery_Method(): return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()] if obj.get_Reporter(): return_obj.reporter = InformationSource.from_obj(obj.get_Reporter()) if obj.get_Responder(): return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()] if obj.get_Coordinator(): return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()] if obj.get_External_ID(): return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()] if obj.get_Impact_Assessment(): return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment()) if obj.get_Information_Source(): return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) if obj.get_Security_Compromise(): return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise()) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()] return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables()) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs()) return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents()) return_obj.status = VocabString.from_obj(obj.get_Status()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.history = History.from_obj(obj.get_History()) return return_obj
def generateIndicator(attribute): indicator = Indicator() indicator.id_ = "example:indicator-" + attribute["uuid"] setTLP(indicator, attribute["distribution"]) indicator.title = "MISP Attribute #" + attribute[ "id"] + " uuid: " + attribute["uuid"] confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none" confidence_value = confidence_mapping.get(attribute["to_ids"], None) if confidence_value is None: return indicator indicator.confidence = Confidence(value=confidence_value, description=confidence_description) return indicator
def generateIndicator(attribute): indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"] if attribute["comment"] != "": indicator.description = attribute["comment"] setTLP(indicator, attribute["distribution"]) indicator.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none" confidence_value = confidence_mapping.get(attribute["to_ids"], None) if confidence_value is None: return indicator indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) return indicator
def from_obj(cls, obj, return_obj=None): if not obj: return None if return_obj is None: return_obj = cls() return_obj.timestamp = obj.get_timestamp() return_obj.timestamp_precision = obj.get_timestamp_precision() return_obj.source = InformationSource.from_obj(obj.get_Source()) return_obj.refernce = obj.get_Reference() return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables()) return return_obj
def from_dict(cls, d, return_obj=None): if not d: return None if return_obj is None: return_obj = cls() return_obj.timestamp = d.get('timestamp') return_obj.timestamp_precision = d.get('timestamp_precision') return_obj.source = InformationSource.from_dict(d.get('source')) return_obj.reference = d.get('reference') return_obj.confidence = Confidence.from_dict(d.get('confidence')) return_obj.description = StructuredText.from_dict(d.get('description')) return_obj.related_observables = RelatedObservables.from_dict(d.get('related_observables')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [ Statement.from_dict(x) for x in dict_repr.get('types', []) ] return_obj.motivations = [ Statement.from_dict(x) for x in dict_repr.get('motivations', []) ] return_obj.sophistications = [ Statement.from_dict(x) for x in dict_repr.get('sophistications', []) ] return_obj.intended_effects = [ Statement.from_dict(x) for x in dict_repr.get('intended_effects', []) ] return_obj.planning_and_operational_supports = [ Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', []) ] return_obj.observed_ttps = ObservedTTPs.from_dict( dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict( dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict( dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict( dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict( dict_repr.get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if return_obj is None: return_obj = cls() return_obj.timestamp = obj.timestamp return_obj.timestamp_precision = obj.timestamp_precision return_obj.source = InformationSource.from_obj(obj.Source) return_obj.reference = obj.Reference return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.descriptions = StructuredTextList.from_obj(obj.Description) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return return_obj
def generate_indicator(self, attribute, tags, org): indicator = Indicator(timestamp=attribute.timestamp) indicator.id_ = "{}:indicator-{}".format(namespace[1], attribute.uuid) self.set_prod(indicator, org) if attribute.comment: indicator.description = attribute.comment self.set_tlp(indicator, attribute.distribution, self.merge_tags(tags, attribute)) indicator.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id) indicator.description = indicator.title confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none" confidence_value = confidence_mapping.get(attribute.to_ids, None) if confidence_value is None: return indicator indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=attribute.timestamp) return indicator
def from_obj(cls, obj, return_obj=None): if not obj: return None if return_obj is None: return_obj = cls() return_obj.timestamp = obj.timestamp return_obj.timestamp_precision = obj.timestamp_precision return_obj.source = InformationSource.from_obj(obj.Source) return_obj.reference = obj.Reference return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.descriptions = StructuredTextList.from_obj(obj.Description) return_obj.related_observables = RelatedObservables.from_obj( obj.Related_Observables) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.title = dict_repr.get('title') return_obj.version = dict_repr.get('version', cls._version) observable_dict = dict_repr.get('observable') producer_dict = dict_repr.get('producer') description_dict = dict_repr.get('description') indicator_type_list = dict_repr.get('indicator_types', []) confidence_dict = dict_repr.get('confidence') alternative_id_dict = dict_repr.get('alternative_id') valid_time_position_dict = dict_repr.get('valid_time_positions') return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.indicated_ttps = [RelatedTTP.from_dict(x) for x in dict_repr.get('indicated_ttps', [])] return_obj.test_mechanisms = [_BaseTestMechanism.from_dict(x) for x in dict_repr.get('test_mechanisms', [])] return_obj.suggested_coas = SuggestedCOAs.from_dict(dict_repr.get('suggested_coas')) return_obj.sightings = Sightings.from_dict(dict_repr.get('sightings')) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(dict_repr.get('composite_indicator_expression')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(dict_repr.get('kill_chain_phases')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.likely_impact = Statement.from_dict(dict_repr.get('likely_impact')) if observable_dict: return_obj.add_observable(Observable.from_dict(observable_dict)) if producer_dict: return_obj.producer = InformationSource.from_dict(producer_dict) if description_dict: return_obj.description = StructuredText.from_dict(description_dict) for indicator_type_dict in indicator_type_list: return_obj.add_indicator_type(VocabString.from_dict(indicator_type_dict)) if confidence_dict: return_obj.confidence = Confidence.from_dict(confidence_dict) if alternative_id_dict: return_obj.alternative_id = alternative_id_dict if valid_time_position_dict: for valid_time_position_type_dict in valid_time_position_dict: return_obj.add_valid_time_position(ValidTime.from_dict(valid_time_position_type_dict)) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.get_version() if obj.get_version( ) else cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()] return_obj.motivations = [ Statement.from_obj(x) for x in obj.get_Motivation() ] return_obj.sophistications = [ Statement.from_obj(x) for x in obj.get_Sophistication() ] return_obj.intended_effects = [ Statement.from_obj(x) for x in obj.get_Intended_Effect() ] return_obj.planning_and_operational_supports = [ Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support() ] return_obj.observed_ttps = ObservedTTPs.from_obj( obj.get_Observed_TTPs()) return_obj.associated_campaigns = AssociatedCampaigns.from_obj( obj.get_Associated_Campaigns()) return_obj.associated_actors = AssociatedActors.from_obj( obj.get_Associated_Actors()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.information_source = InformationSource.from_obj( obj.get_Information_Source()) return_obj.related_packages = RelatedPackageRefs.from_obj( obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.producer = InformationSource.from_obj(obj.get_Producer()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.sightings = Sightings.from_obj(obj.get_Sightings()) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.get_Composite_Indicator_Expression()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.get_Kill_Chain_Phases()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.likely_impact = Statement.from_obj(obj.get_Likely_Impact()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Type(): for indicator_type in obj.get_Type(): return_obj.add_indicator_type(VocabString.from_obj(indicator_type)) if obj.get_Observable(): observable_obj = obj.get_Observable() observable = Observable.from_obj(observable_obj) return_obj.observables.append(observable) if obj.get_Indicated_TTP(): return_obj.indicated_ttps = [RelatedTTP.from_obj(x) for x in obj.get_Indicated_TTP()] if obj.get_Test_Mechanisms(): return_obj.test_mechanisms = [_BaseTestMechanism.from_obj(x) for x in obj.get_Test_Mechanisms().get_Test_Mechanism()] if obj.get_Suggested_COAs(): return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.get_Suggested_COAs()) if obj.get_Alternative_ID(): return_obj.alternative_id = obj.get_Alternative_ID() if obj.get_Valid_Time_Position(): return_obj.valid_time_positions = [ValidTime.from_obj(x) for x in obj.get_Valid_Time_Position()] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj( obj.Short_Description) return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = [Statement.from_obj(x) for x in obj.Type] return_obj.motivations = [ Statement.from_obj(x) for x in obj.Motivation ] return_obj.sophistications = [ Statement.from_obj(x) for x in obj.Sophistication ] return_obj.intended_effects = [ Statement.from_obj(x) for x in obj.Intended_Effect ] return_obj.planning_and_operational_supports = [ Statement.from_obj(x) for x in obj.Planning_And_Operational_Support ] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj( obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj( obj.Associated_Actors) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.information_source = InformationSource.from_obj( obj.Information_Source) return_obj.related_packages = RelatedPackageRefs.from_obj( obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = \ StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = \ StructuredText.from_dict(dict_repr.get('short_description')) return_obj.names = Names.from_dict(dict_repr.get('names')) return_obj.intended_effects = \ [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.status = VocabString.from_dict(dict_repr.get('status')) return_obj.related_ttps = \ RelatedTTPs.from_dict(dict_repr.get('related_ttps')) return_obj.related_incidents = \ RelatedIncidents.from_dict(dict_repr.get('related_incidents')) return_obj.related_indicators = \ RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.attribution = \ [Attribution.from_dict(x) for x in dict_repr.get('attribution', [])] return_obj.associated_campaigns = \ AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns')) return_obj.confidence = \ Confidence.from_dict(dict_repr.get('confidence')) return_obj.activity = \ [Activity.from_dict(x) for x in dict_repr.get('activity', [])] return_obj.information_source = \ InformationSource.from_dict(dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = \ StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = \ StructuredText.from_dict(dict_repr.get('short_description')) return_obj.names = Names.from_dict(dict_repr.get('names')) return_obj.intended_effect = \ [Statement.from_dict(x) for x in dict_repr.get('intended_effect', [])] return_obj.status = VocabString.from_dict(dict_repr.get('status')) return_obj.related_ttps = \ RelatedTTPs.from_dict(dict_repr.get('related_ttps')) return_obj.related_incidents = \ RelatedIncidents.from_dict(dict_repr.get('related_incidents')) return_obj.related_indicators = \ RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.attribution = \ [Attribution.from_dict(x) for x in dict_repr.get('attribution', [])] return_obj.associated_campaigns = \ AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns')) return_obj.confidence = \ Confidence.from_dict(dict_repr.get('confidence')) return_obj.activity = \ [Activity.from_dict(x) for x in dict_repr.get('activity', [])] return_obj.information_source = \ InformationSource.from_dict(dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def main(): fileIn = open('tor_exit_node_list.txt', 'r') fileOut = open('coa_tor.xml', 'w') #print("List of Tor Exit nodes as of 5/4/2018") ip_addr_list = [] for line in fileIn: ip_addr = re.search( '(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))', line) if ip_addr: ip_addr_list.append(ip_addr) #print(" ", ip_addr.group(0)) pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to Tor exit nodes" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication to Tor exit nodes" obj.applicability_confidence = Confidence("High") i = 0 observables_list = [] for ip_addr in ip_addr_list: addr = Address(address_value=ip_addr.group(0), category=Address.CAT_IPV4) observables_list.append(addr) print(i) i = i + 1 coa.parameter_observables = Observables(observables_list) pkg.add_course_of_action(coa) fileOut.write(pkg.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = \ StructuredText.from_obj(obj.get_Short_Description()) return_obj.names = Names.from_obj(obj.get_Names()) return_obj.intended_effects = \ [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return_obj.status = VocabString.from_obj(obj.get_Status()) return_obj.related_ttps = RelatedTTPs.from_obj( obj.get_Related_TTPs()) return_obj.related_incidents = \ RelatedIncidents.from_obj(obj.get_Related_Incidents()) return_obj.related_indicators = \ RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.attribution = \ [Attribution.from_obj(x) for x in obj.get_Attribution()] return_obj.associated_campaigns = \ AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.activity = \ [Activity.from_obj(x) for x in obj.get_Activity()] return_obj.information_source = \ InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.title = dict_repr.get('title') return_obj.version = dict_repr.get('version', cls._version) observable_dict = dict_repr.get('observable') producer_dict = dict_repr.get('producer') description_dict = dict_repr.get('description') indicator_type_list = dict_repr.get('indicator_types') confidence_dict = dict_repr.get('confidence') alternative_id_dict = dict_repr.get('alternative_id') return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.indicated_ttps = [RelatedTTP.from_dict(x) for x in dict_repr.get('indicated_ttps', [])] return_obj.test_mechanisms = [_BaseTestMechanism.from_dict(x) for x in dict_repr.get('test_mechanisms', [])] return_obj.suggested_coas = SuggestedCOAs.from_dict(dict_repr.get('suggested_coas')) return_obj.sightings = Sightings.from_dict(dict_repr.get('sightings')) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(dict_repr.get('composite_indicator_expression')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) if observable_dict: return_obj.add_observable(Observable.from_dict(observable_dict)) if producer_dict: return_obj.producer = InformationSource.from_dict(producer_dict) if description_dict: return_obj.description = StructuredText.from_dict(description_dict) if indicator_type_list: for indicator_type_dict in indicator_type_list: return_obj.add_indicator_type(IndicatorType.from_dict(indicator_type_dict)) if confidence_dict: return_obj.confidence = Confidence.from_dict(confidence_dict) if alternative_id_dict: return_obj.alternative_id = alternative_id_dict return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = \ StructuredText.from_obj(obj.Short_Description) return_obj.names = Names.from_obj(obj.Names) return_obj.intended_effects = \ [Statement.from_obj(x) for x in obj.Intended_Effect] return_obj.status = VocabString.from_obj(obj.Status) return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs) return_obj.related_incidents = \ RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.related_indicators = \ RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.attribution = \ [Attribution.from_obj(x) for x in obj.Attribution] return_obj.associated_campaigns = \ AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.activity = \ [Activity.from_obj(x) for x in obj.Activity] return_obj.information_source = \ InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = \ StructuredText.from_obj(obj.get_Short_Description()) return_obj.names = Names.from_obj(obj.get_Names()) return_obj.intended_effect = \ [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return_obj.status = VocabString.from_obj(obj.get_Status()) return_obj.related_ttps = RelatedTTPs.from_obj(obj.get_Related_TTPs()) return_obj.related_incidents = \ RelatedIncidents.from_obj(obj.get_Related_Incidents()) return_obj.related_indicators = \ RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.attribution = \ [Attribution.from_obj(x) for x in obj.get_Attribution()] return_obj.associated_campaigns = \ AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.activity = \ [Activity.from_obj(x) for x in obj.get_Activity()] return_obj.information_source = \ InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = _Types.from_obj(obj.Type) return_obj.motivations = _Motivations.from_obj(obj.Motivation) return_obj.sophistications = _Sophistications.from_obj(obj.Sophistication) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support) return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Campaign, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get # PEP 8 line lengths return_obj.names = Names.from_dict(get("names")) return_obj.intended_effects = _IntendedEffects.from_dict(get("intended_effects")) return_obj.status = VocabString.from_dict(get("status")) return_obj.related_ttps = RelatedTTPs.from_dict(get("related_ttps")) return_obj.related_incidents = RelatedIncidents.from_dict(get("related_incidents")) return_obj.related_indicators = RelatedIndicators.from_dict(get("related_indicators")) return_obj.attribution = _AttributionList.from_list(get("attribution")) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get("associated_campaigns")) return_obj.confidence = Confidence.from_dict(get("confidence")) return_obj.activity = _Activities.from_dict(get("activity")) return_obj.related_packages = RelatedPackageRefs.from_dict(get("related_packages")) return return_obj