def _add_stix_indicators(self, final_indicator_objects, ttp_id):
"""Create and add STIX Indicators for a list of Object History entries.
Link each Indicator to their Indicated TTP.
Note:
Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class
member.
Args:
final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
the final, pruned list of Objects to be used in the STIX Indicators.
ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP.
"""
object_values_list = []
actions_list = []
final_object_list = []
# Deduplicate the Objects and combine their Actions
for entry in final_indicator_objects:
object = entry.object
# Test if we've already created an Indicator for this Object
obj_values = BundleDeduplicator.get_object_values(object)
if obj_values not in object_values_list:
object_values_list.append(obj_values)
final_object_list.append(object)
actions_list.append(entry.get_action_names())
else:
object_index = object_values_list.index(obj_values)
existing_actions = actions_list[object_index]
existing_actions += entry.get_action_names()
# Create the STIX Indicators
for object in final_object_list:
object_index = final_object_list.index(object)
indicator = Indicator()
indicator.title = "Malware Artifact Extracted from MAEC Document"
indicator.add_indicator_type("Malware Artifacts")
indicator.add_observable(object.properties)
# Add the Action-derived description to the Indicator
description = "Corresponding Action(s): "
for action_name in actions_list[object_index]:
description += (action_name + ", ")
indicator.description = description[:-2]
# Set the proper Confidence on the Indicator
confidence = Confidence()
confidence.value = "Low"
confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage."
indicator.confidence = confidence
# Link the Indicator to its Indicated TTP
ttp = TTP(idref=ttp_id)
indicator.add_indicated_ttp(ttp)
# Add the Indicator to the STIX Package
self.stix_package.add_indicator(indicator)
def _add_stix_indicators(self, final_indicator_objects, ttp_id):
"""Create and add STIX Indicators for a list of Object History entries.
Link each Indicator to their Indicated TTP.
Note:
Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class
member.
Args:
final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
the final, pruned list of Objects to be used in the STIX Indicators.
ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP.
"""
object_values_list = []
actions_list = []
final_object_list = []
# Deduplicate the Objects and combine their Actions
for entry in final_indicator_objects:
object = entry.object
# Test if we've already created an Indicator for this Object
obj_values = BundleDeduplicator.get_object_values(object)
if obj_values not in object_values_list:
object_values_list.append(obj_values)
final_object_list.append(object)
actions_list.append(entry.get_action_names())
else:
object_index = object_values_list.index(obj_values)
existing_actions = actions_list[object_index]
existing_actions += entry.get_action_names()
# Create the STIX Indicators
for object in final_object_list:
object_index = final_object_list.index(object)
indicator = Indicator()
indicator.title = "Malware Artifact Extracted from MAEC Document"
indicator.add_indicator_type("Malware Artifacts")
indicator.add_observable(object.properties)
# Add the Action-derived description to the Indicator
description = "Corresponding Action(s): "
for action_name in actions_list[object_index]:
description += (action_name + ", ")
indicator.description = description[:-2]
# Set the proper Confidence on the Indicator
confidence = Confidence()
confidence.value = "Low"
confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage."
indicator.confidence = confidence
# Link the Indicator to its Indicated TTP
ttp = TTP(idref=ttp_id)
indicator.add_indicated_ttp(ttp)
# Add the Indicator to the STIX Package
self.stix_package.add_indicator(indicator)
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.types = _Types.from_dict(get('types'))
return_obj.motivations = _Motivations.from_dict(get('motivations'))
return_obj.sophistications = _Sophistications.from_dict(
get('sophistications'))
return_obj.intended_effects = _IntendedEffects.from_dict(
get('intended_effects'))
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports'))
return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(
get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(
get('associated_actors'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.related_packages = RelatedPackageRefs.from_dict(
get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = _Types.from_obj(obj.Type)
return_obj.motivations = _Motivations.from_obj(obj.Motivation)
return_obj.sophistications = _Sophistications.from_obj(
obj.Sophistication)
return_obj.intended_effects = _IntendedEffects.from_obj(
obj.Intended_Effect)
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support)
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(
obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(
obj.Associated_Actors)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.related_packages = RelatedPackageRefs.from_obj(
obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Indicator, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.negate = get('negate')
return_obj.alternative_id = get('alternative_id')
return_obj.indicated_ttps = _IndicatedTTPs.from_dict(get('indicated_ttps'))
return_obj.test_mechanisms = TestMechanisms.from_list(get('test_mechanisms'))
return_obj.suggested_coas = SuggestedCOAs.from_dict(get('suggested_coas'))
return_obj.sightings = Sightings.from_dict(get('sightings'))
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(get('composite_indicator_expression'))
return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(get('kill_chain_phases'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.likely_impact = Statement.from_dict(get('likely_impact'))
return_obj.indicator_types = IndicatorTypes.from_list(get('indicator_types'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.valid_time_positions = _ValidTimePositions.from_dict(get('valid_time_positions'))
return_obj.observable = Observable.from_dict(get('observable'))
return_obj.producer = InformationSource.from_dict(get('producer'))
return_obj.related_campaigns = RelatedCampaignRefs.from_dict(get('related_campaigns'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = [Statement.from_obj(x) for x in obj.Type]
return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation]
return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication]
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.time = Time.from_obj(obj.Time)
return_obj.victims = _Victims.from_obj(obj.Victim)
return_obj.categories = IncidentCategories.from_obj(obj.Categories)
return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets)
return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method)
return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return_obj.responders = _InformationSources.from_obj(obj.Responder)
return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator)
return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID)
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Campaign, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get # PEP 8 line lengths
return_obj.names = Names.from_dict(get('names'))
return_obj.intended_effects = \
_IntendedEffects.from_dict(get('intended_effects'))
return_obj.status = VocabString.from_dict(get('status'))
return_obj.related_ttps = \
RelatedTTPs.from_dict(get('related_ttps'))
return_obj.related_incidents = \
RelatedIncidents.from_dict(get('related_incidents'))
return_obj.related_indicators = \
RelatedIndicators.from_dict(get('related_indicators'))
return_obj.attribution = _AttributionList.from_list(get('attribution'))
return_obj.associated_campaigns = \
AssociatedCampaigns.from_dict(get('associated_campaigns'))
return_obj.confidence = \
Confidence.from_dict(get('confidence'))
return_obj.activity = _Activities.from_dict(get('activity'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def confidence(self, value):
if not value:
self._confidence = None
elif isinstance(value, Confidence):
self._confidence = value
else:
self._confidence = Confidence(value=value)
def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print pkg.to_xml()
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Campaign, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get # PEP 8 line lengths
return_obj.names = Names.from_dict(get('names'))
return_obj.intended_effects = \
_IntendedEffects.from_dict(get('intended_effects'))
return_obj.status = VocabString.from_dict(get('status'))
return_obj.related_ttps = \
RelatedTTPs.from_dict(get('related_ttps'))
return_obj.related_incidents = \
RelatedIncidents.from_dict(get('related_incidents'))
return_obj.related_indicators = \
RelatedIndicators.from_dict(get('related_indicators'))
return_obj.attribution = _AttributionList.from_list(get('attribution'))
return_obj.associated_campaigns = \
AssociatedCampaigns.from_dict(get('associated_campaigns'))
return_obj.confidence = \
Confidence.from_dict(get('confidence'))
return_obj.activity = _Activities.from_dict(get('activity'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])]
return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])]
return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])]
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.planning_and_operational_supports = [Statement.from_dict(x)
for x in dict_repr.get('planning_and_operational_supports', [])]
return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.time = Time.from_dict(dict_repr.get('time'))
return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])]
return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])]
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents'))
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps'))
return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])]
return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])]
return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter'))
return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])]
return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])]
return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])]
return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])]
return return_obj
def generate_indicators(self, count):
'''Generate a list of STIX Indicators'''
indicators = []
for i in range(0, count):
indicator = Indicator(title='Multiple indicator types')
indicator.set_producer_identity(Identity(name='Secret Source'))
indicator.set_produced_time(datetime.today())
indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration']))
indicator.add_short_description('Short description...')
indicator.add_description('Long description...')
indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown']))
kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES)
indicator.kill_chain_phases = KillChainPhasesReference(
[KillChainPhaseReference(name=kill_chain_phase.name)])
ips = self.gen_ips(randint(0, 5))
for ip in ips:
indicator.add_observable(ip)
# user_agents = self.gen_user_agents(randint(0, 5))
# for ua in user_agents:
# indicator.add_observable(ua)
# fqnds = self.gen_fqdns(randint(0, 5))
# for f in fqnds:
# indicator.add_observable(f)
# urls = self.gen_urls(randint(0, 5))
# for u in urls:
# indicator.add_observable(u)
indicators.append(indicator)
return indicators
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.time = Time.from_dict(get('time'))
return_obj.victims = _Victims.from_dict(get('victims'))
return_obj.categories = IncidentCategories.from_dict(get('categories'))
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents'))
return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects'))
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps'))
return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets'))
return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods'))
return_obj.reporter = InformationSource.from_dict(get('reporter'))
return_obj.responders = _InformationSources.from_dict(get('responders'))
return_obj.coordinators = _InformationSources.from_dict(get('coordinators'))
return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids'))
return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment'))
return_obj.security_compromise = VocabString.from_dict(get('security_compromise'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken'))
return_obj.coa_requested = _COAsRequested.from_dict(get('coa_requested'))
return_obj.status = VocabString.from_dict(get('status'))
return_obj.history = History.from_dict(get('history'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.get_version() if obj.get_version() else cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()]
return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()]
return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()]
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs())
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns())
return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def main():
file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
stix_header = STIXHeader(
title="File Hash Reputation Service Results",
package_intents=["Indicators - Malware Artifacts"])
stix_package = STIXPackage(stix_header=stix_header)
indicator = Indicator(
title=
"File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)
indicator.add_indicator_type("File Hash Watchlist")
file_object = File()
file_object.add_hash(Hash(file_hash))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
indicator.add_observable(file_object)
indicator.add_indicated_ttp(TTP(title="Malicious file"))
indicator.confidence = Confidence(value=VocabString('75'))
indicator.confidence.value.vocab_name = "Percentage"
indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage"
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.time = Time.from_obj(obj.Time)
return_obj.victims = _Victims.from_obj(obj.Victim)
return_obj.categories = IncidentCategories.from_obj(obj.Categories)
return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets)
return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method)
return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken)
return_obj.coa_requested = _COAsRequested.from_obj(obj.COA_Requested)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.history = History.from_obj(obj.History)
return_obj.responders = _InformationSources.from_obj(obj.Responder)
return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator)
return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID)
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Indicator, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.negate = obj.negate
return_obj.producer = InformationSource.from_obj(obj.Producer)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.sightings = Sightings.from_obj(obj.Sightings)
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.Composite_Indicator_Expression)
return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.Kill_Chain_Phases)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.likely_impact = Statement.from_obj(obj.Likely_Impact)
return_obj.indicator_types = IndicatorTypes.from_obj(obj.Type)
return_obj.test_mechanisms = TestMechanisms.from_obj(obj.Test_Mechanisms)
return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.Suggested_COAs)
return_obj.alternative_id = obj.Alternative_ID
return_obj.indicated_ttps = _IndicatedTTPs.from_obj(obj.Indicated_TTP)
return_obj.valid_time_positions = _ValidTimePositions.from_obj(obj.Valid_Time_Position)
return_obj.observable = Observable.from_obj(obj.Observable)
return_obj.related_campaigns = RelatedCampaignRefs.from_obj(obj.Related_Campaigns)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.types = _Types.from_dict(get('types'))
return_obj.motivations = _Motivations.from_dict(get('motivations'))
return_obj.sophistications = _Sophistications.from_dict(get('sophistications'))
return_obj.intended_effects = _IntendedEffects.from_dict(get('intended_effects'))
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports'))
return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(get('associated_actors'))
return_obj.handling = Marking.from_dict(get('handling'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Incident, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.time = Time.from_dict(get('time'))
return_obj.victims = _Victims.from_dict(get('victims'))
return_obj.categories = IncidentCategories.from_dict(get('categories'))
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents'))
return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects'))
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps'))
return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets'))
return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods'))
return_obj.reporter = InformationSource.from_dict(get('reporter'))
return_obj.responders = _InformationSources.from_dict(get('responders'))
return_obj.coordinators = _InformationSources.from_dict(get('coordinators'))
return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids'))
return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment'))
return_obj.security_compromise = VocabString.from_dict(get('security_compromise'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken'))
return_obj.status = VocabString.from_dict(get('status'))
return_obj.handling = Marking.from_dict(get('handling'))
return_obj.history = History.from_dict(get('history'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Campaign, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.names = Names.from_obj(obj.Names)
return_obj.intended_effects = \
_IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs)
return_obj.related_incidents = \
RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.related_indicators = \
RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.attribution = _AttributionList.from_obj(obj.Attribution)
return_obj.associated_campaigns = \
AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.activity = _Activities.from_obj(obj.Activity)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(Campaign, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class):
return_obj.names = Names.from_obj(obj.Names)
return_obj.intended_effects = \
_IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs)
return_obj.related_incidents = \
RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.related_indicators = \
RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.attribution = _AttributionList.from_obj(obj.Attribution)
return_obj.associated_campaigns = \
AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.activity = _Activities.from_obj(obj.Activity)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.applicability_confidence = Confidence.from_obj(obj.get_Applicability_Confidence())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.applicability_confidence = Confidence.from_obj(obj.Applicability_Confidence)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.descriptions = StructuredTextList.from_obj(obj.Description)
return_obj.short_descriptions = StructuredTextList.from_obj(obj.Short_Description)
return_obj.applicability_confidence = Confidence.from_obj(obj.Applicability_Confidence)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.applicability_confidence = Confidence.from_dict(dict_repr.get('applicability_confidence'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.time = Time.from_obj(obj.Time)
if obj.Victim:
return_obj.victims = [Identity.from_obj(x) for x in obj.Victim]
if obj.Categories:
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category]
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
if obj.Affected_Assets:
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset]
if obj.Discovery_Method:
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method]
if obj.Reporter:
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
if obj.Responder:
return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder]
if obj.Coordinator:
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator]
if obj.External_ID:
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID]
if obj.Impact_Assessment:
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
if obj.Information_Source:
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
if obj.Security_Compromise:
return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise)
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken]
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return return_obj
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
print("confidence set to %s"%(str(breach.confidence.value)))
breach._binding_class.xml_type = typeIncident
print("incident set to %s"%(str(breach._binding_class.xml_type)))
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Company Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.applicability_confidence = Confidence.from_dict(dict_repr.get('applicability_confidence'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.time = Time.from_obj(obj.Time)
if obj.Victim:
return_obj.victims = [Identity.from_obj(x) for x in obj.Victim]
if obj.Categories:
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category]
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
if obj.Affected_Assets:
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset]
if obj.Discovery_Method:
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method]
if obj.Reporter:
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
if obj.Responder:
return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder]
if obj.Coordinator:
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator]
if obj.External_ID:
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID]
if obj.Impact_Assessment:
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
if obj.Information_Source:
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
if obj.Security_Compromise:
return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise)
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken]
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.time = Time.from_obj(obj.get_Time())
if obj.get_Victim():
return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()]
if obj.get_Categories():
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()]
if obj.get_Intended_Effect():
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
if obj.get_Affected_Assets():
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()]
if obj.get_Discovery_Method():
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()]
if obj.get_Reporter():
return_obj.reporter = InformationSource.from_obj(obj.get_Reporter())
if obj.get_Responder():
return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()]
if obj.get_Coordinator():
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()]
if obj.get_External_ID():
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()]
if obj.get_Impact_Assessment():
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment())
if obj.get_Information_Source():
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
if obj.get_Security_Compromise():
return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise())
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()]
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors())
return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables())
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs())
return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents())
return_obj.status = VocabString.from_obj(obj.get_Status())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.history = History.from_obj(obj.get_History())
return return_obj
def generateIndicator(attribute):
indicator = Indicator()
indicator.id_ = "example:indicator-" + attribute["uuid"]
setTLP(indicator, attribute["distribution"])
indicator.title = "MISP Attribute #" + attribute[
"id"] + " uuid: " + attribute["uuid"]
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value,
description=confidence_description)
return indicator
def generateIndicator(attribute):
indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
if attribute["comment"] != "":
indicator.description = attribute["comment"]
setTLP(indicator, attribute["distribution"])
indicator.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
return indicator
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if return_obj is None:
return_obj = cls()
return_obj.timestamp = obj.get_timestamp()
return_obj.timestamp_precision = obj.get_timestamp_precision()
return_obj.source = InformationSource.from_obj(obj.get_Source())
return_obj.refernce = obj.get_Reference()
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables())
return return_obj
def from_dict(cls, d, return_obj=None):
if not d:
return None
if return_obj is None:
return_obj = cls()
return_obj.timestamp = d.get('timestamp')
return_obj.timestamp_precision = d.get('timestamp_precision')
return_obj.source = InformationSource.from_dict(d.get('source'))
return_obj.reference = d.get('reference')
return_obj.confidence = Confidence.from_dict(d.get('confidence'))
return_obj.description = StructuredText.from_dict(d.get('description'))
return_obj.related_observables = RelatedObservables.from_dict(d.get('related_observables'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(
dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(
dict_repr.get('short_description'))
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.types = [
Statement.from_dict(x) for x in dict_repr.get('types', [])
]
return_obj.motivations = [
Statement.from_dict(x) for x in dict_repr.get('motivations', [])
]
return_obj.sophistications = [
Statement.from_dict(x)
for x in dict_repr.get('sophistications', [])
]
return_obj.intended_effects = [
Statement.from_dict(x)
for x in dict_repr.get('intended_effects', [])
]
return_obj.planning_and_operational_supports = [
Statement.from_dict(x)
for x in dict_repr.get('planning_and_operational_supports', [])
]
return_obj.observed_ttps = ObservedTTPs.from_dict(
dict_repr.get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(
dict_repr.get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(
dict_repr.get('associated_actors'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.confidence = Confidence.from_dict(
dict_repr.get('confidence'))
return_obj.information_source = InformationSource.from_dict(
dict_repr.get('information_source'))
return_obj.related_packages = RelatedPackageRefs.from_dict(
dict_repr.get('related_packages'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if return_obj is None:
return_obj = cls()
return_obj.timestamp = obj.timestamp
return_obj.timestamp_precision = obj.timestamp_precision
return_obj.source = InformationSource.from_obj(obj.Source)
return_obj.reference = obj.Reference
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.descriptions = StructuredTextList.from_obj(obj.Description)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return return_obj
def generate_indicator(self, attribute, tags, org):
indicator = Indicator(timestamp=attribute.timestamp)
indicator.id_ = "{}:indicator-{}".format(namespace[1], attribute.uuid)
self.set_prod(indicator, org)
if attribute.comment:
indicator.description = attribute.comment
self.set_tlp(indicator, attribute.distribution, self.merge_tags(tags, attribute))
indicator.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id)
indicator.description = indicator.title
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute.to_ids, None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=attribute.timestamp)
return indicator
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if return_obj is None:
return_obj = cls()
return_obj.timestamp = obj.timestamp
return_obj.timestamp_precision = obj.timestamp_precision
return_obj.source = InformationSource.from_obj(obj.Source)
return_obj.reference = obj.Reference
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.descriptions = StructuredTextList.from_obj(obj.Description)
return_obj.related_observables = RelatedObservables.from_obj(
obj.Related_Observables)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.title = dict_repr.get('title')
return_obj.version = dict_repr.get('version', cls._version)
observable_dict = dict_repr.get('observable')
producer_dict = dict_repr.get('producer')
description_dict = dict_repr.get('description')
indicator_type_list = dict_repr.get('indicator_types', [])
confidence_dict = dict_repr.get('confidence')
alternative_id_dict = dict_repr.get('alternative_id')
valid_time_position_dict = dict_repr.get('valid_time_positions')
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.indicated_ttps = [RelatedTTP.from_dict(x) for x in dict_repr.get('indicated_ttps', [])]
return_obj.test_mechanisms = [_BaseTestMechanism.from_dict(x) for x in dict_repr.get('test_mechanisms', [])]
return_obj.suggested_coas = SuggestedCOAs.from_dict(dict_repr.get('suggested_coas'))
return_obj.sightings = Sightings.from_dict(dict_repr.get('sightings'))
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(dict_repr.get('composite_indicator_expression'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(dict_repr.get('kill_chain_phases'))
return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.likely_impact = Statement.from_dict(dict_repr.get('likely_impact'))
if observable_dict:
return_obj.add_observable(Observable.from_dict(observable_dict))
if producer_dict:
return_obj.producer = InformationSource.from_dict(producer_dict)
if description_dict:
return_obj.description = StructuredText.from_dict(description_dict)
for indicator_type_dict in indicator_type_list:
return_obj.add_indicator_type(VocabString.from_dict(indicator_type_dict))
if confidence_dict:
return_obj.confidence = Confidence.from_dict(confidence_dict)
if alternative_id_dict:
return_obj.alternative_id = alternative_id_dict
if valid_time_position_dict:
for valid_time_position_type_dict in valid_time_position_dict:
return_obj.add_valid_time_position(ValidTime.from_dict(valid_time_position_type_dict))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.get_version() if obj.get_version(
) else cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()]
return_obj.motivations = [
Statement.from_obj(x) for x in obj.get_Motivation()
]
return_obj.sophistications = [
Statement.from_obj(x) for x in obj.get_Sophistication()
]
return_obj.intended_effects = [
Statement.from_obj(x) for x in obj.get_Intended_Effect()
]
return_obj.planning_and_operational_supports = [
Statement.from_obj(x)
for x in obj.get_Planning_And_Operational_Support()
]
return_obj.observed_ttps = ObservedTTPs.from_obj(
obj.get_Observed_TTPs())
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(
obj.get_Associated_Campaigns())
return_obj.associated_actors = AssociatedActors.from_obj(
obj.get_Associated_Actors())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.information_source = InformationSource.from_obj(
obj.get_Information_Source())
return_obj.related_packages = RelatedPackageRefs.from_obj(
obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.producer = InformationSource.from_obj(obj.get_Producer())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.sightings = Sightings.from_obj(obj.get_Sightings())
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.get_Composite_Indicator_Expression())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.get_Kill_Chain_Phases())
return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.likely_impact = Statement.from_obj(obj.get_Likely_Impact())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Type():
for indicator_type in obj.get_Type():
return_obj.add_indicator_type(VocabString.from_obj(indicator_type))
if obj.get_Observable():
observable_obj = obj.get_Observable()
observable = Observable.from_obj(observable_obj)
return_obj.observables.append(observable)
if obj.get_Indicated_TTP():
return_obj.indicated_ttps = [RelatedTTP.from_obj(x) for x in obj.get_Indicated_TTP()]
if obj.get_Test_Mechanisms():
return_obj.test_mechanisms = [_BaseTestMechanism.from_obj(x) for x in obj.get_Test_Mechanisms().get_Test_Mechanism()]
if obj.get_Suggested_COAs():
return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.get_Suggested_COAs())
if obj.get_Alternative_ID():
return_obj.alternative_id = obj.get_Alternative_ID()
if obj.get_Valid_Time_Position():
return_obj.valid_time_positions = [ValidTime.from_obj(x) for x in obj.get_Valid_Time_Position()]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(
obj.Short_Description)
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = [Statement.from_obj(x) for x in obj.Type]
return_obj.motivations = [
Statement.from_obj(x) for x in obj.Motivation
]
return_obj.sophistications = [
Statement.from_obj(x) for x in obj.Sophistication
]
return_obj.intended_effects = [
Statement.from_obj(x) for x in obj.Intended_Effect
]
return_obj.planning_and_operational_supports = [
Statement.from_obj(x)
for x in obj.Planning_And_Operational_Support
]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(
obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(
obj.Associated_Actors)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.information_source = InformationSource.from_obj(
obj.Information_Source)
return_obj.related_packages = RelatedPackageRefs.from_obj(
obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = \
StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = \
StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.names = Names.from_dict(dict_repr.get('names'))
return_obj.intended_effects = \
[Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.status = VocabString.from_dict(dict_repr.get('status'))
return_obj.related_ttps = \
RelatedTTPs.from_dict(dict_repr.get('related_ttps'))
return_obj.related_incidents = \
RelatedIncidents.from_dict(dict_repr.get('related_incidents'))
return_obj.related_indicators = \
RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.attribution = \
[Attribution.from_dict(x) for x in
dict_repr.get('attribution', [])]
return_obj.associated_campaigns = \
AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns'))
return_obj.confidence = \
Confidence.from_dict(dict_repr.get('confidence'))
return_obj.activity = \
[Activity.from_dict(x) for x in dict_repr.get('activity', [])]
return_obj.information_source = \
InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = \
StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = \
StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.names = Names.from_dict(dict_repr.get('names'))
return_obj.intended_effect = \
[Statement.from_dict(x) for x in dict_repr.get('intended_effect', [])]
return_obj.status = VocabString.from_dict(dict_repr.get('status'))
return_obj.related_ttps = \
RelatedTTPs.from_dict(dict_repr.get('related_ttps'))
return_obj.related_incidents = \
RelatedIncidents.from_dict(dict_repr.get('related_incidents'))
return_obj.related_indicators = \
RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.attribution = \
[Attribution.from_dict(x) for x in
dict_repr.get('attribution', [])]
return_obj.associated_campaigns = \
AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns'))
return_obj.confidence = \
Confidence.from_dict(dict_repr.get('confidence'))
return_obj.activity = \
[Activity.from_dict(x) for x in dict_repr.get('activity', [])]
return_obj.information_source = \
InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.related_packages = \
RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def main():
fileIn = open('tor_exit_node_list.txt', 'r')
fileOut = open('coa_tor.xml', 'w')
#print("List of Tor Exit nodes as of 5/4/2018")
ip_addr_list = []
for line in fileIn:
ip_addr = re.search(
'(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))',
line)
if ip_addr:
ip_addr_list.append(ip_addr)
#print(" ", ip_addr.group(0))
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to Tor exit nodes"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication to Tor exit nodes"
obj.applicability_confidence = Confidence("High")
i = 0
observables_list = []
for ip_addr in ip_addr_list:
addr = Address(address_value=ip_addr.group(0),
category=Address.CAT_IPV4)
observables_list.append(addr)
print(i)
i = i + 1
coa.parameter_observables = Observables(observables_list)
pkg.add_course_of_action(coa)
fileOut.write(pkg.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = \
StructuredText.from_obj(obj.get_Short_Description())
return_obj.names = Names.from_obj(obj.get_Names())
return_obj.intended_effects = \
[Statement.from_obj(x) for x in obj.get_Intended_Effect()]
return_obj.status = VocabString.from_obj(obj.get_Status())
return_obj.related_ttps = RelatedTTPs.from_obj(
obj.get_Related_TTPs())
return_obj.related_incidents = \
RelatedIncidents.from_obj(obj.get_Related_Incidents())
return_obj.related_indicators = \
RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.attribution = \
[Attribution.from_obj(x) for x in obj.get_Attribution()]
return_obj.associated_campaigns = \
AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.activity = \
[Activity.from_obj(x) for x in obj.get_Activity()]
return_obj.information_source = \
InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.title = dict_repr.get('title')
return_obj.version = dict_repr.get('version', cls._version)
observable_dict = dict_repr.get('observable')
producer_dict = dict_repr.get('producer')
description_dict = dict_repr.get('description')
indicator_type_list = dict_repr.get('indicator_types')
confidence_dict = dict_repr.get('confidence')
alternative_id_dict = dict_repr.get('alternative_id')
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.indicated_ttps = [RelatedTTP.from_dict(x) for x in dict_repr.get('indicated_ttps', [])]
return_obj.test_mechanisms = [_BaseTestMechanism.from_dict(x) for x in dict_repr.get('test_mechanisms', [])]
return_obj.suggested_coas = SuggestedCOAs.from_dict(dict_repr.get('suggested_coas'))
return_obj.sightings = Sightings.from_dict(dict_repr.get('sightings'))
return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(dict_repr.get('composite_indicator_expression'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
if observable_dict:
return_obj.add_observable(Observable.from_dict(observable_dict))
if producer_dict:
return_obj.producer = InformationSource.from_dict(producer_dict)
if description_dict:
return_obj.description = StructuredText.from_dict(description_dict)
if indicator_type_list:
for indicator_type_dict in indicator_type_list:
return_obj.add_indicator_type(IndicatorType.from_dict(indicator_type_dict))
if confidence_dict:
return_obj.confidence = Confidence.from_dict(confidence_dict)
if alternative_id_dict:
return_obj.alternative_id = alternative_id_dict
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = \
StructuredText.from_obj(obj.Short_Description)
return_obj.names = Names.from_obj(obj.Names)
return_obj.intended_effects = \
[Statement.from_obj(x) for x in obj.Intended_Effect]
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs)
return_obj.related_incidents = \
RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.related_indicators = \
RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.attribution = \
[Attribution.from_obj(x) for x in obj.Attribution]
return_obj.associated_campaigns = \
AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.activity = \
[Activity.from_obj(x) for x in obj.Activity]
return_obj.information_source = \
InformationSource.from_obj(obj.Information_Source)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = \
StructuredText.from_obj(obj.get_Short_Description())
return_obj.names = Names.from_obj(obj.get_Names())
return_obj.intended_effect = \
[Statement.from_obj(x) for x in obj.get_Intended_Effect()]
return_obj.status = VocabString.from_obj(obj.get_Status())
return_obj.related_ttps = RelatedTTPs.from_obj(obj.get_Related_TTPs())
return_obj.related_incidents = \
RelatedIncidents.from_obj(obj.get_Related_Incidents())
return_obj.related_indicators = \
RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.attribution = \
[Attribution.from_obj(x) for x in obj.get_Attribution()]
return_obj.associated_campaigns = \
AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.activity = \
[Activity.from_obj(x) for x in obj.get_Activity()]
return_obj.information_source = \
InformationSource.from_obj(obj.get_Information_Source())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.related_packages = \
RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = _Types.from_obj(obj.Type)
return_obj.motivations = _Motivations.from_obj(obj.Motivation)
return_obj.sophistications = _Sophistications.from_obj(obj.Sophistication)
return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support)
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(Campaign, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get # PEP 8 line lengths
return_obj.names = Names.from_dict(get("names"))
return_obj.intended_effects = _IntendedEffects.from_dict(get("intended_effects"))
return_obj.status = VocabString.from_dict(get("status"))
return_obj.related_ttps = RelatedTTPs.from_dict(get("related_ttps"))
return_obj.related_incidents = RelatedIncidents.from_dict(get("related_incidents"))
return_obj.related_indicators = RelatedIndicators.from_dict(get("related_indicators"))
return_obj.attribution = _AttributionList.from_list(get("attribution"))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get("associated_campaigns"))
return_obj.confidence = Confidence.from_dict(get("confidence"))
return_obj.activity = _Activities.from_dict(get("activity"))
return_obj.related_packages = RelatedPackageRefs.from_dict(get("related_packages"))
return return_obj
