activity = Activity() activity.description = 'Foo' campaign.add_activity(activity) campaign.add_intended_effect(IntendedEffect('Extortion')) campaign.status = CampaignStatus('Ongoing') campaign.confidence = HighMediumLow('Medium') # Related TTP (basic; by id) ttp = TTP(title="Malware Variant XYZ") related_ttp = RelatedTTP(TTP(idref=ttp.id_)) campaign.related_ttps.append(related_ttp) # Related Incident (basic; by id) incident = Incident(title='We got hacked') t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = Attribution()
from stix.ttp import TTP, Behavior from stix.ttp.behavior import AttackPattern from stix.coa import CourseOfAction fake = Faker() # Basics incident = Incident(title='We got hacked') incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.' # Dates/Times t1 = '2018-08-23T14:00:05.470947+00:00' t2 = '2018-08-22T14:00:05.470947+00:00' t3 = '2018-08-24T14:00:05.470947+00:00' t = Time() t.incident_opened = t1 t.incident_discovery = t1 t.incident_reported = t1 t.first_malicious_action = t2 t.initial_compromise = t2 t.first_data_exfiltration = t2 t.containment_achieved = t3 t.restoration_achieved = t3 t.incident_closed = t3 incident.time = t # Additional Attributes incident.add_category('Unauthorized Access') incident.add_intended_effect('Destruction') incident.confidence = 'High' incident.add_discovery_method('NIDS')