def data(self) -> Dict:
return {
"type": ContainerTypes.OBSERVED_DATA.value,
"first_observed": get_incident_start_date(),
"last_observed": get_incident_end_date(),
"number_observed": 50,
"objects": [self.ipv4["id"], self.domain["id"]],
}
def data(self) -> Dict:
return {
"type": "Infrastructure",
"name": "Poison Ivy C2",
"description": "Poison Ivy C2 turning into C3",
"first_seen": get_incident_start_date(),
"last_seen": get_incident_end_date(),
"infrastructure_types": ["command-and-control"],
}
def data(self) -> Dict:
return {
"fromId": self.ttp1["id"],
"toId": self.location["id"],
"description": "We saw the attacker use Spearphishing Attachment.",
"start_date": get_incident_start_date(),
"stop_date": get_incident_end_date(),
"count": 3
# "lang": "en",
}
def data(self) -> Dict:
return {
"fromId": self.domain["id"],
"toId": self.ipv4["id"],
"relationship_type": "related-to",
"description": "We saw the attacker use Spearphishing Attachment.",
"start_date": get_incident_start_date(),
"stop_date": get_incident_end_date()
# "lang": "en",
# "object_refs": [self.ipv4["id"], self.domain["id"]],
}
def data(self) -> Dict:
return {
"type": "StixCoreRelationship",
"fromId": self.incident["id"],
"toId": self.ttp1["id"],
"relationship_type": "uses",
"description": "We saw the attacker use Spearphishing Attachment.",
"start_date": get_incident_start_date(),
"stop_date": get_incident_end_date()
# "lang": "en",
}
def data(self) -> Dict:
return {
"type": "Incident",
"name": "Green Group Attacks Against Finance",
"description": "Incident by Green Group against a targets in the financial services sector.",
"aliases": ["GREENEVIL", "GREVIL"],
"confidence": 60,
"first_seen": get_incident_start_date(),
"last_seen": get_incident_end_date(),
"objective": "World dominance",
}
def data(self) -> Dict:
return {
"type":
"indicator",
"name":
"C2 server of the new campaign",
"description":
"This is the C2 server of the campaign",
"pattern_type":
"stix",
"pattern":
"[domain-name:value = 'www.5z8.info' AND domain-name:resolves_to_refs[*].value = '198.51.100.1/32']",
"x_opencti_main_observable_type":
"IPv4-Addr",
"confidence":
60,
"x_opencti_score":
80,
"x_opencti_detection":
True,
"valid_from":
get_incident_start_date(),
"valid_until":
get_incident_end_date(),
"created":
get_incident_start_date(),
"modified":
get_incident_start_date(),
"createdBy":
self.organization["id"],
"objectMarking": [
self.marking_definition_green["id"],
self.marking_definition_white["id"],
],
"update":
True,
# TODO killchain phase
}
