def buildIncident(input_dict):
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
if input_dict['confidence']:
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
if input_dict['responder']:
incident.responders = input_dict['responder']
if input_dict['coordinator']:
incident.coordinators = input_dict['coordinator']
if input_dict['intent']:
incident.intended_effects = input_dict['intent']
if input_dict['discovery']:
incident.discovery_methods = input_dict['discovery']
if input_dict['status']:
incident.status = input_dict['status']
if input_dict['compromise']:
incident.security_compromise = input_dict['compromise']
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
if input_dict['asset']:
asset = AffectedAsset()
asset.type_ = input_dict['asset']
incident.add_affected_asset (asset)
# add the victim
incident.add_victim (input_dict['organization'])
return incident
def convert_file(ifn, ofn, vcdb):
global cve_info
global targets_item
cve_info = []
targets_item = None
with open(ifn) as json_data:
veris_item = json.load(json_data)
json_data.close()
schema_version_item = veris_item.get("schema_version")
if not schema_version_item:
error("The 'schema_version' item is required")
elif not (schema_version_item == "1.3" or schema_version_item == "1.3.0"):
error("This converter is for VERIS schema version 1.3. This file has schema version " + schema_version_item)
return
pkg = STIXPackage()
action_item = veris_item.get('action')
if not action_item:
error("The 'action' item is required")
else:
add_action_item(action_item, pkg)
add_cve_info(pkg)
actor_item = veris_item.get('actor')
if not actor_item:
error("The 'actor' item is required")
else:
add_actor_item(actor_item, pkg)
incident = Incident()
pkg.add_incident(incident)
asset_item = veris_item.get('asset')
if not asset_item:
error("The 'asset' item is required")
else:
attribute_item = veris_item.get('attribute')
add_asset_item(asset_item, attribute_item, incident)
# added as 1.3
campaign_id_item = veris_item.get('campaign_id')
if campaign_id_item:
add_campaign_item(campaign_id_item, pkg)
confidence_item = veris_item.get('confidence')
if confidence_item:
add_confidence_item(confidence_item, incident)
#control_failure - not found in data
if veris_item.get('control_failure'):
warn("'control_failure' item not handled, yet")
corrective_action_item = veris_item.get('corrective_action')
cost_corrective_action_item = veris_item.get('cost_corrective_action')
if corrective_action_item or cost_corrective_action_item:
add_coa_items(corrective_action_item, cost_corrective_action_item, pkg)
discovery_method_item = veris_item.get('discovery_method')
if not discovery_method_item:
error("The 'discovery_method' item is required")
else:
incident.add_discovery_method(map_discovey_method(discovery_method_item))
discovery_notes_item = veris_item.get('discovery_notes')
if discovery_notes_item:
warn("'discovery_notes' item not handled yet")
impact_item = veris_item.get('impact')
if impact_item:
add_impact_item(impact_item, incident)
incident_id_item = veris_item.get('incident_id')
if not incident_id_item:
error("The 'incident_id' item is required")
else:
external_id = ExternalID()
external_id.value = incident_id_item
external_id.source = "VERIS"
incident.add_external_id(external_id)
notes_item = veris_item.get('notes')
if notes_item:
pkg.stix_header = STIXHeader()
pkg.stix_header.title = "Notes: " + notes_item
# plus item for records from VCDB have some known useful information
if vcdb:
plus_item = veris_item.get('plus')
if plus_item:
add_plus_item(plus_item, incident, pkg)
# removed as of 1.3 - see campaign_id
# related_incidents_item = veris_item.get('related_incidents')
# if related_incidents_item:
# add_related_incidents_item(related_incidents_item, incident)
security_incident_item = veris_item.get('security_incident')
if not security_incident_item:
error("The 'security_incident' item is required")
else:
incident.security_compromise = map_security_incident_item_to_security_compromise(security_incident_item)
reference_item = veris_item.get('reference')
source_id_item = veris_item.get('source_id')
if source_id_item or reference_item:
add_information_source_items(reference_item, source_id_item, schema_version_item, incident)
summary_item = veris_item.get('summary')
if summary_item:
incident.title = summary_item
#targeted_item = veris_item.get('targeted')
#if targeted_item:
timeline_item = veris_item.get('timeline')
if not timeline_item:
error("The 'timeline' item is required")
else:
add_timeline_item(timeline_item, incident)
victim_item = veris_item.get('victim')
if victim_item:
add_victim_item(victim_item, incident)
add_related(pkg)
if not ofn:
stixXML = sys.stdout
else:
stixXML = open(ofn, 'wb')
stixXML.write(pkg.to_xml())
stixXML.close()