@CustomObservable(
"x-opencti-simple-observable",
[
("key", properties.StringProperty(required=True)),
("value", properties.StringProperty(required=True)),
("description", properties.StringProperty()),
(
"created_by_ref",
properties.ReferenceProperty(valid_types="identity",
spec_version="2.1"),
),
("x_opencti_score", properties.IntegerProperty()),
("x_opencti_create_indicator", properties.BooleanProperty()),
("labels", properties.ListProperty(properties.StringProperty)),
("external_references", properties.ListProperty(ExternalReference)),
(
"object_marking_refs",
properties.ListProperty(
properties.ReferenceProperty(valid_types="marking-definition",
spec_version="2.1")),
),
],
)
class SimpleObservable:
pass
@CustomObject(
"x-opencti-incident",
import re
from stix2 import CustomObject, properties, KillChainPhase
from yeti.core.errors import ValidationError
from .indicator_base import Indicator
@CustomObject('x-regex',
[('labels', properties.StringProperty(required=True)),
('name', properties.StringProperty()),
('description', properties.StringProperty()),
('pattern', properties.StringProperty(required=True)),
('valid_from', properties.TimestampProperty(required=True)),
('valid_until', properties.TimestampProperty()),
('kill_chain_phases', properties.ListProperty(KillChainPhase))])
class StixRegex():
def __init__(self, pattern=None, **_):
try:
re.compile(pattern)
except re.error as e:
raise ValidationError('{0:s} is not a valid regular expression:'
' {1:s}'.format(pattern, str(e)))
class Regex(Indicator):
"""STIX Indicator Yeti object.
Extends the Indicator STIX2 definition.
"""
@CustomObject('x-react-stage', [
( 'name', properties.StringProperty(required=True)),
( 'description', properties.StringProperty()),
( 'external_references', properties.ObjectReferenceProperty())] )
class ReactStage(object):
def __init__(self, name=None, **kwargs):
list_of_stages = ['Preparation','Identification','Containment','Eradication','Recovery','Lessons Learned']
if name and name not in list_of_stages:
raise ValueError("'%s' is not a recognized stage of RE&CT." % name)
@CustomObject( 'x-react-action', [
( 'name', properties.StringProperty(required=True)),
( 'description', properties.StringProperty()),
( 'external_references', properties.ObjectReferenceProperty()),
( 'kill_chain_phases', properties.ListProperty(properties.DictionaryProperty)) ] )
class ReactAction(object):
def __init__(self, name=None, **kwargs):
pass
@CustomObject('x-react-matrix', [
( 'name', properties.StringProperty(required=True)),
( 'description', properties.StringProperty()),
( 'tactic_refs', properties.ListProperty(properties.StringProperty)) ] )
class ReactMatrix(object):
def __init__(self, name=None, **kwargs):
pass
external_references = []
"""
Writes the Sigma rules into a file.
"""
file = open('sigma_rules_stix_bundle.json', 'w')
file.write(Bundle(json).serialize(pretty=False))
@CustomObject(
'x-sigma-rules',
[
('action', properties.StringProperty()
), ## needs updating its not part of the schema
('title', properties.StringProperty()),
('status', properties.StringProperty()),
('description', properties.StringProperty()),
('references', properties.ListProperty(
properties.StringProperty())), ##posible list here
('reference', properties.ListProperty(properties.StringProperty())
), ##should be looked at there are two differences
('author', properties.StringProperty()),
('date', properties.StringProperty()),
('logsource', properties.DictionaryProperty()),
('detection', properties.DictionaryProperty()),
('fields', properties.ListProperty(properties.StringProperty())),
('falsepositives', properties.ListProperty(
properties.StringProperty())),
('level', properties.StringProperty()),
('tags', properties.ListProperty(
properties.StringProperty())), ##needs updating
('analysis', properties.DictionaryProperty()), ##needs updating
])
class Sigma(object):
class ReactStage(object):
def __init__(self, name=None, **kwargs):
list_of_stages = [
'Preparation', 'Identification', 'Containment', 'Eradication',
'Recovery', 'Lessons Learned'
]
if name and name not in list_of_stages:
raise ValueError("'%s' is not a recognized stage of RE&CT." % name)
@CustomObject('x-react-action',
[('name', properties.StringProperty(required=True)),
('description', properties.StringProperty()),
('external_references', properties.ObjectReferenceProperty()),
('kill_chain_phases',
properties.ListProperty(properties.DictionaryProperty))])
class ReactAction(object):
def __init__(self, name=None, **kwargs):
pass
@CustomObject(
'x-react-matrix',
[('name', properties.StringProperty(required=True)),
('description', properties.StringProperty()),
('tactic_refs', properties.ListProperty(properties.StringProperty))])
class ReactMatrix(object):
def __init__(self, name=None, **kwargs):
pass
"""Detail Yeti's incident object structure."""
from stix2 import CustomObject, properties
from .entity import Entity
@CustomObject('x-incident', [
('x_internal_references', properties.ListProperty(
properties.StringProperty)),
('name', properties.StringProperty()),
('description', properties.StringProperty()),
])
class StixIncident():
_collection_name = 'entities'
type = 'x-incident'
@property
def internal_references(self):
return self._stix_object.internal_references
class Incident(Entity):
"""Incident Yeti object."""
_collection_name = 'entities'
type = 'x-incident'
@property
def name(self):
return self._stix_object.name
