def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.party_name = PartyName.from_dict( dict_repr.get('party_name')) return_obj.languages = [ Language.from_dict(x) for x in dict_repr.get('languages', []) ] return_obj.addresses = [ Address.from_dict(x) for x in dict_repr.get('addresses', []) ] return_obj.electronic_address_identifiers = [ ElectronicAddressIdentifier.from_dict(x) for x in dict_repr.get('electronic_address_identifiers', []) ] return_obj.free_text_lines = [ FreeTextLine.from_dict(x) for x in dict_repr.get('free_text_lines', []) ] return_obj.contact_numbers = [ ContactNumber.from_dict(x) for x in dict_repr.get('contact_numbers', []) ] return_obj.organisation_info = OrganisationInfo.from_dict( dict_repr.get('organisation_info')) return return_obj
def convert_identity(ident20): if ("sectors" in ident20 or "contact_information" in ident20 or "labels" in ident20 or "identity_class" in ident20 or "description" in ident20): ident1x = CIQIdentity3_0Instance() id1x = convert_id20(ident20["id"]) ident1x.id_ = id1x if ident20["identity_class"] != "organization": ident1x.name = ident20["name"] if "labels" in ident20: ident1x.roles = ident20["labels"] if ("sectors" in ident20 or "contact_information" in ident20 or "identity_class" in ident20 or "description" in ident20): ident1x.specification = STIXCIQIdentity3_0() if ident20["identity_class"] == "organization": party_name = PartyName() party_name.add_organisation_name(text_type(ident20["name"])) ident1x.specification.party_name = party_name if "sectors" in ident20: first = True for s in ident20["sectors"]: if first: ident1x.specification.organisation_info = \ OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0])) first = False else: warn( "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted", 401, "Identity", "sectors", s) # Identity in 1.x has no description property, use free-text-lines if "identity_class" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "identity_class", ident20["identity_class"]) # Because there is format defined in the specification for this property, it is difficult to # determine how to convert the information probably found within it to the CIQ fields, so it will be put # in the free_text_lines if "contact_information" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "contact_information", ident20["contact_information"]) if "description" in ident20: add_missing_property_to_free_text_lines( ident1x.specification, "description", ident20["description"]) else: ident1x = Identity(id_=convert_id20(ident20["id"]), name=ident20["name"]) if "object_marking_refs" in ident20: for m_id in ident20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ident1x, ms, descendants=True) if "granular_markings" in ident20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ident20["id"]) return ident1x
def main(): ciq_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.organisation_info = OrganisationInfo( industry_type="Electricity, Industrial Control Systems") ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity stix_package = STIXPackage() stix_package.add_ttp(ttp) print stix_package.to_xml()
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs): """ This utility functions aids in the creation of an AIS marking and appends it to the provided STIX package. Args: stix_package: A stix.core.STIXPackage object. proprietary: True if marking uses IsProprietary, False for NotProprietary. consent: A string with one of the following values: "EVERYONE", "NONE" or "USG". color: A string that corresponds to TLP values: "WHITE", "GREEN" or "AMBER". **kwargs: Six required keyword arguments that are used to create a CIQ identity object. These are: country_name_code, country_name_code_type, admin_area_name_code, admin_area_name_code_type, organisation_name, industry_type. Raises: ValueError: When keyword arguments are missing. User did not supply correct values for: proprietary, color and consent. Note: The following line is required to register the AIS extension:: >>> import stix.extensions.marking.ais Any Markings under STIX Header will be removed. Please follow the guidelines for `AIS`_. The industry_type keyword argument accepts: a list of string based on defined sectors, a pipe-delimited string of sectors, or a single sector. .. _AIS: https://www.us-cert.gov/ais """ from stix.common import InformationSource from stix.extensions.identity.ciq_identity_3_0 import ( CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address, Country, NameElement, OrganisationInfo, AdministrativeArea) from stix.core.stix_header import STIXHeader from stix.data_marking import MarkingSpecification, Marking args = ('country_name_code', 'country_name_code_type', 'industry_type', 'admin_area_name_code', 'admin_area_name_code_type', 'organisation_name') diff = set(args) - set(kwargs.keys()) if diff: msg = 'All keyword arguments must be provided. Missing: {0}' raise ValueError(msg.format(tuple(diff))) party_name = PartyName() party_name.add_organisation_name(kwargs['organisation_name']) country = Country() country_name = NameElement() country_name.name_code = kwargs['country_name_code'] country_name.name_code_type = kwargs['country_name_code_type'] country.add_name_element(country_name) admin_area = AdministrativeArea() admin_area_name = NameElement() admin_area_name.name_code = kwargs['admin_area_name_code'] admin_area_name.name_code_type = kwargs['admin_area_name_code_type'] admin_area.add_name_element(admin_area_name) address = Address() address.country = country address.administrative_area = admin_area org_info = OrganisationInfo() org_info.industry_type = _validate_and_create_industry_type( kwargs['industry_type']) id_spec = STIXCIQIdentity3_0() id_spec.party_name = party_name id_spec.add_address(address) id_spec.organisation_info = org_info identity = CIQIdentity3_0Instance() identity.specification = id_spec if proprietary is True: proprietary_obj = IsProprietary() consent = 'EVERYONE' elif proprietary is False: proprietary_obj = NotProprietary() else: raise ValueError('proprietary expected True or False.') proprietary_obj.ais_consent = AISConsentType(consent=consent) proprietary_obj.tlp_marking = TLPMarkingType(color=color) ais_marking = AISMarkingStructure() if isinstance(proprietary_obj, IsProprietary): ais_marking.is_proprietary = proprietary_obj else: ais_marking.not_proprietary = proprietary_obj marking_spec = MarkingSpecification() marking_spec.controlled_structure = '//node() | //@*' marking_spec.marking_structures.append(ais_marking) marking_spec.information_source = InformationSource() marking_spec.information_source.identity = identity if not stix_package.stix_header: stix_package.stix_header = STIXHeader() # Removes any other Markings if present. stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs): """ This utility functions aids in the creation of an AIS marking and appends it to the provided STIX package. Args: stix_package: A stix.core.STIXPackage object. proprietary: True if marking uses IsProprietary, False for NotProprietary. consent: A string with one of the following values: "EVERYONE", "NONE" or "USG". color: A string that corresponds to TLP values: "WHITE", "GREEN" or "AMBER". **kwargs: Six required keyword arguments that are used to create a CIQ identity object. These are: country_name_code, country_name_code_type, admin_area_name_code, admin_area_name_code_type, organisation_name, industry_type. Raises: ValueError: When keyword arguments are missing. User did not supply correct values for: proprietary, color and consent. Note: The following line is required to register the AIS extension:: >>> import stix.extensions.marking.ais Any Markings under STIX Header will be removed. Please follow the guidelines for `AIS`_. The industry_type keyword argument accepts: a list of string based on defined sectors, a pipe-delimited string of sectors, or a single sector. .. _AIS: https://www.us-cert.gov/ais """ from stix.common import InformationSource from stix.extensions.identity.ciq_identity_3_0 import ( CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address, Country, NameElement, OrganisationInfo, AdministrativeArea) from stix.core.stix_header import STIXHeader from stix.data_marking import MarkingSpecification, Marking args = ('country_name_code', 'country_name_code_type', 'industry_type', 'admin_area_name_code', 'admin_area_name_code_type', 'organisation_name') diff = set(args) - set(kwargs.keys()) if diff: msg = 'All keyword arguments must be provided. Missing: {0}' raise ValueError(msg.format(tuple(diff))) party_name = PartyName() party_name.add_organisation_name(kwargs['organisation_name']) country = Country() country_name = NameElement() country_name.name_code = kwargs['country_name_code'] country_name.name_code_type = kwargs['country_name_code_type'] country.add_name_element(country_name) admin_area = AdministrativeArea() admin_area_name = NameElement() admin_area_name.name_code = kwargs['admin_area_name_code'] admin_area_name.name_code_type = kwargs['admin_area_name_code_type'] admin_area.add_name_element(admin_area_name) address = Address() address.country = country address.administrative_area = admin_area org_info = OrganisationInfo() org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type']) id_spec = STIXCIQIdentity3_0() id_spec.party_name = party_name id_spec.add_address(address) id_spec.organisation_info = org_info identity = CIQIdentity3_0Instance() identity.specification = id_spec if proprietary is True: proprietary_obj = IsProprietary() consent = 'EVERYONE' elif proprietary is False: proprietary_obj = NotProprietary() else: raise ValueError('proprietary expected True or False.') proprietary_obj.ais_consent = AISConsentType(consent=consent) proprietary_obj.tlp_marking = TLPMarkingType(color=color) ais_marking = AISMarkingStructure() if isinstance(proprietary_obj, IsProprietary): ais_marking.is_proprietary = proprietary_obj else: ais_marking.not_proprietary = proprietary_obj marking_spec = MarkingSpecification() marking_spec.controlled_structure = '//node() | //@*' marking_spec.marking_structures.append(ais_marking) marking_spec.information_source = InformationSource() marking_spec.information_source.identity = identity if not stix_package.stix_header: stix_package.stix_header = STIXHeader() # Removes any other Markings if present. stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking_spec)
identity_spec = STIXCIQIdentity3_0() identity_spec.add_address(Address(country='Germany')) identity_spec.add_address(Address(country='United States')) identity_spec.add_language('German') identity_spec.add_language('English') identity_spec.add_nationality('American') identity_spec.add_contact_number('727-867-5309') identity_spec.add_electronic_address_identifier('bricca') identity_spec.add_electronic_address_identifier( ElectronicAddressIdentifier(value='*****@*****.**', type_='Email')) party_name = PartyName() party_name.add_person_name('Bob Ricca') party_name.add_person_name('Robert Ricca') party_name.add_organisation_name('ThreatQuotient') identity_spec.party_name = party_name organization = OrganisationInfo(industry_type='Cybersecurity') identity_spec.organisation_info = organization identity.specification = identity_spec victim_targeting.identity = identity domain2 = DomainName() domain2.value = 'www.bobricca.com' observable2 = Observable(domain2) victim_targeting.targeted_technical_details = Observables( Observable(idref=observable2.id_)) ttp2.victim_targeting = victim_targeting ttp2.related_ttps.append(related_ttp) # Related TTP (Exploit; by id) ttp3 = TTP(title='Remote Exploit of Server Software') exploit = Exploit(title='Exploit Apache')