def add_new_indicator_action(action, analyst): """ Add a new indicator action to CRITs. :param action: The action to add to CRITs. :type action: str :param analyst: The user adding this action. :returns: True, False """ action = action.strip() try: idb_action = IndicatorAction.objects(name=action).first() if idb_action: return False idb_action = IndicatorAction() idb_action.name = action idb_action.save(username=analyst) return True except ValidationError: return False
def populate_indicator_actions(drop): """ Populate default set of Indicator Actions into the system. :param drop: Drop the existing collection before trying to populate. :type: boolean """ # define your indicator actions here actions = ['Blocked Outbound At Firewall', 'Blocked Outbound At Desktop Firewall'] if drop: IndicatorAction.drop_collection() if len(IndicatorAction.objects()) < 1: for action in actions: ia = IndicatorAction() ia.name = action ia.save() print "Indicator Actions: added %s actions!" % len(actions) else: print "Indicator Actions: existing documents detected. skipping!"
def handle_indicator_csv(csv_data, source, method, reference, ctype, username, add_domain=False): """ Handle adding Indicators in CSV format (file or blob). :param csv_data: The CSV data. :type csv_data: str or file handle :param source: The name of the source for these indicators. :type source: str :param method: The method of acquisition of this indicator. :type method: str :param reference: The reference to this data. :type reference: str :param ctype: The CSV type. :type ctype: str ("file" or "blob") :param username: The user adding these indicators. :type username: str :param add_domain: If the indicators being added are also other top-level objects, add those too. :type add_domain: boolean :returns: dict with keys "success" (boolean) and "message" (str) """ if ctype == "file": cdata = csv_data.read() else: cdata = csv_data.encode('ascii') data = csv.DictReader(StringIO(cdata), skipinitialspace=True) result = {'success': True} result_message = "" # Compute permitted values in CSV valid_ratings = { 'unknown': 'unknown', 'benign': 'benign', 'low': 'low', 'medium': 'medium', 'high': 'high'} valid_campaign_confidence = { 'low': 'low', 'medium': 'medium', 'high': 'high'} valid_campaigns = {} for c in Campaign.objects(active='on'): valid_campaigns[c['name'].lower().replace(' - ', '-')] = c['name'] valid_actions = {} for a in IndicatorAction.objects(active='on'): valid_actions[a['name'].lower().replace(' - ', '-')] = a['name'] valid_ind_types = {} for obj in ObjectType.objects(datatype__enum__exists=False, datatype__file__exists=False): if obj['object_type'] == obj['name']: name = obj['object_type'] else: name = "%s - %s" % (obj['object_type'], obj['name']) valid_ind_types[name.lower().replace(' - ', '-')] = name # Start line-by-line import added = 0 for processed, d in enumerate(data, 1): ind = {} ind['value'] = d.get('Indicator', '').lower().strip() ind['type'] = get_verified_field(d, valid_ind_types, 'Type') if not ind['value'] or not ind['type']: # Mandatory value missing or malformed, cannot process csv row i = "" result['success'] = False if not ind['value']: i += "No valid Indicator value " if not ind['type']: i += "No valid Indicator type " result_message += "Cannot process row %s: %s<br />" % (processed, i) continue campaign = get_verified_field(d, valid_campaigns, 'Campaign') if campaign: ind['campaign'] = campaign ind['campaign_confidence'] = get_verified_field(d, valid_campaign_confidence, 'Campaign Confidence', default='low') actions = d.get('Action', '') if actions: actions = get_verified_field(actions.split(','), valid_actions) if not actions: result['success'] = False result_message += "Cannot process row %s: Invalid Action<br />" % processed continue ind['confidence'] = get_verified_field(d, valid_ratings, 'Confidence', default='unknown') ind['impact'] = get_verified_field(d, valid_ratings, 'Impact', default='unknown') ind[form_consts.Common.BUCKET_LIST_VARIABLE_NAME] = d.get(form_consts.Common.BUCKET_LIST, '') ind[form_consts.Common.TICKET_VARIABLE_NAME] = d.get(form_consts.Common.TICKET, '') try: response = handle_indicator_insert(ind, source, reference, analyst=username, method=method, add_domain=add_domain) except Exception, e: result['success'] = False result_message += "Failure processing row %s: %s<br />" % (processed, str(e)) continue if response['success']: if actions: action = {'active': 'on', 'analyst': username, 'begin_date': '', 'end_date': '', 'performed_date': '', 'reason': '', 'date': datetime.datetime.now()} for action_type in actions: action['action_type'] = action_type action_add(response.get('objectid'), action) else: result['success'] = False result_message += "Failure processing row %s: %s<br />" % (processed, response['message']) continue added += 1
def class_from_id(type_, _id): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param _id: The ObjectId to search for. :type _id: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # doing this to avoid circular imports from crits.actors.actor import ActorThreatIdentifier, Actor from crits.backdoors.backdoor import Backdoor from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.core.source_access import SourceAccess from crits.core.user_role import UserRole from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event from crits.exploits.exploit import Exploit from crits.indicators.indicator import Indicator, IndicatorAction from crits.ips.ip import IP from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData, RawDataType from crits.samples.sample import Sample from crits.screenshots.screenshot import Screenshot from crits.targets.target import Target if not _id: return None # make sure it's a string _id = str(_id) # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise # the queries below will raise a ValidationError exception. if not ObjectId.is_valid(_id.decode('utf8')): return None if type_ == 'Actor': return Actor.objects(id=_id).first() elif type_ == 'Backdoor': return Backdoor.objects(id=_id).first() elif type_ == 'ActorThreatIdentifier': return ActorThreatIdentifier.objects(id=_id).first() elif type_ == 'Campaign': return Campaign.objects(id=_id).first() elif type_ == 'Certificate': return Certificate.objects(id=_id).first() elif type_ == 'Comment': return Comment.objects(id=_id).first() elif type_ == 'Domain': return Domain.objects(id=_id).first() elif type_ == 'Email': return Email.objects(id=_id).first() elif type_ == 'Event': return Event.objects(id=_id).first() elif type_ == 'Exploit': return Exploit.objects(id=_id).first() elif type_ == 'Indicator': return Indicator.objects(id=_id).first() elif type_ == 'IndicatorAction': return IndicatorAction.objects(id=_id).first() elif type_ == 'IP': return IP.objects(id=_id).first() elif type_ == 'PCAP': return PCAP.objects(id=_id).first() elif type_ == 'RawData': return RawData.objects(id=_id).first() elif type_ == 'RawDataType': return RawDataType.objects(id=_id).first() elif type_ == 'Sample': return Sample.objects(id=_id).first() elif type_ == 'SourceAccess': return SourceAccess.objects(id=_id).first() elif type_ == 'Screenshot': return Screenshot.objects(id=_id).first() elif type_ == 'Target': return Target.objects(id=_id).first() elif type_ == 'UserRole': return UserRole.objects(id=_id).first() else: return None
def class_from_id(type_, _id): """ Return an instantiated class object. :param type_: The CRITs top-level object type. :type type_: str :param _id: The ObjectId to search for. :type _id: str :returns: class which inherits from :class:`crits.core.crits_mongoengine.CritsBaseAttributes` """ # doing this to avoid circular imports from crits.campaigns.campaign import Campaign from crits.certificates.certificate import Certificate from crits.comments.comment import Comment from crits.core.crits_mongoengine import RelationshipType from crits.core.source_access import SourceAccess from crits.core.user_role import UserRole from crits.domains.domain import Domain from crits.emails.email import Email from crits.events.event import Event, EventType from crits.indicators.indicator import Indicator, IndicatorAction from crits.ips.ip import IP from crits.objects.object_type import ObjectType from crits.pcaps.pcap import PCAP from crits.raw_data.raw_data import RawData, RawDataType from crits.samples.backdoor import Backdoor from crits.samples.exploit import Exploit from crits.samples.sample import Sample from crits.targets.target import Target if not _id: return None # make sure it's a string _id = str(_id) if type_ == 'Backdoor': return Backdoor.objects(id=_id).first() if type_ == 'Campaign': return Campaign.objects(id=_id).first() elif type_ == 'Certificate': return Certificate.objects(id=_id).first() elif type_ == 'Comment': return Comment.objects(id=_id).first() elif type_ == 'Domain': return Domain.objects(id=_id).first() elif type_ == 'Email': return Email.objects(id=_id).first() elif type_ == 'Event': return Event.objects(id=_id).first() elif type_ == 'EventType': return EventType.objects(id=_id).first() elif type_ == 'Exploit': return Exploit.objects(id=_id).first() elif type_ == 'Indicator': return Indicator.objects(id=_id).first() elif type_ == 'IndicatorAction': return IndicatorAction.objects(id=_id).first() elif type_ == 'IP': return IP.objects(id=_id).first() elif type_ == 'ObjectType': return ObjectType.objects(id=_id).first() elif type_ == 'PCAP': return PCAP.objects(id=_id).first() elif type_ == 'RawData': return RawData.objects(id=_id).first() elif type_ == 'RawDataType': return RawDataType.objects(id=_id).first() elif type_ == 'RelationshipType': return RelationshipType.objects(id=_id).first() elif type_ == 'Sample': return Sample.objects(id=_id).first() elif type_ == 'SourceAccess': return SourceAccess.objects(id=_id).first() elif type_ == 'Target': return Target.objects(id=_id).first() elif type_ == 'UserRole': return UserRole.objects(id=_id).first() else: return None