def setDates(incident, date, published):
timestamp = getDateFromTimestamp(published)
incident.timestamp = timestamp
incident_time = Time()
incident_time.incident_discovery = convertToStixDate(date)
incident_time.incident_reported = timestamp
incident.time = incident_time
def setDates(incident, date, published):
timestamp=getDateFromTimestamp(published)
incident.timestamp=timestamp
incident_time = Time()
incident_time.incident_discovery = convertToStixDate(date)
incident_time.incident_reported = timestamp
incident.time = incident_time
def set_dates(self, incident, date, published):
timestamp = published
incident.timestamp = timestamp
incident_time = Time()
incident_time.incident_discovery = self.convert_to_stix_date(date)
incident_time.incident_reported = timestamp
incident.time = incident_time
def main():
data = json.load(open("data.json"))
stix_package = STIXPackage(stix_header=STIXHeader(
title=data['title'], package_intents='Incident'))
ttps = {}
for info in data['ips']:
if info['bot'] not in ttps:
ttps[info['bot']] = TTP(title=info['bot'])
stix_package.add_ttp(ttps[info['bot']])
incident = Incident(title=info['ip'])
incident.time = Time()
incident.time.first_malicious_action = info['first_seen']
addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
observable = Observable(item=addr)
stix_package.add_observable(observable)
related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_),
relationship="Used Malware")
incident.leveraged_ttps.append(related_ttp)
related_observable = RelatedObservable(
Observable(idref=observable.id_))
incident.related_observables.append(related_observable)
stix_package.add_incident(incident)
print(stix_package.to_xml(encoding=None))
def add_timeline_item(timeline_item, incident):
incident_time_item = timeline_item.get('incident')
if not incident_time_item:
error("Required 'incident' item is missing in 'timeline' item, skipping item")
return None
incident_date_time = convert_time_item_to_datetime(incident_time_item)
if not incident_date_time:
return None
complete = 0
time = Time()
time.initial_compromise = incident_date_time
complete += 1
compromise_item = timeline_item.get('compromise')
if compromise_item:
dt = convert_value_unit_to_datetime(compromise_item, incident_date_time, 'compromise')
if dt:
complete += 1
time.first_malicious_action = dt
discovery_item = timeline_item.get('discovery')
containment_item = timeline_item.get('containment')
if discovery_item:
dt = convert_value_unit_to_datetime(discovery_item, incident_date_time, 'discovery')
if dt:
complete += 1
time.incident_discovery = dt
exfiltration_item = timeline_item.get('exfiltration')
if exfiltration_item:
dt = convert_value_unit_to_datetime(exfiltration_item, incident_date_time, 'exfiltration')
if dt:
complete += 1
time.first_data_exfiltration = dt
# according to Kevin Thompson (Verizon), containment starts at discovery. Use others if it isn't available
if containment_item:
if time.incident_discovery:
timePoint = time.incident_discovery
elif time.first_data_exfiltration:
timePoint = time.first_data_exfiltration
warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' item is missing or not usable. Using the exfiltration datetime")
else:
timePoint = incident_date_time
warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' and 'exfitration' items are missing or not usable. Using the incident datetime")
dt = convert_value_unit_to_datetime(containment_item, timePoint, 'containment')
if dt:
complete += 1
time.containment_achieved = dt
incident.time = time
if complete > 3:
error("Found a possible good timeline")
campaign.names = names
activity = Activity()
activity.description = 'Foo'
campaign.add_activity(activity)
campaign.add_intended_effect(IntendedEffect('Extortion'))
campaign.status = CampaignStatus('Ongoing')
campaign.confidence = HighMediumLow('Medium')
# Related TTP (basic; by id)
ttp = TTP(title="Malware Variant XYZ")
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
campaign.related_ttps.append(related_ttp)
# Related Incident (basic; by id)
incident = Incident(title='We got hacked')
t = Time()
t.incident_opened = '2018-09-11'
incident.time = t
related_incident = RelatedIncident(Incident(idref=incident.id_))
campaign.related_incidents.append(related_incident)
# Related Indicator (by id)
fake = Faker()
indicator = Indicator()
addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)
indicator.add_observable(addr2)
related_indicator = RelatedIndicator(Indicator(idref=indicator.id_))
campaign.related_indicators.append(related_indicator)
# Related Threat Actor (by id)
ta = ThreatActor(title='Albino Rhino')
from stix.threat_actor import ThreatActor
from stix.ttp import TTP, Behavior
from stix.ttp.behavior import AttackPattern
from stix.coa import CourseOfAction
fake = Faker()
# Basics
incident = Incident(title='We got hacked')
incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.'
# Dates/Times
t1 = '2018-08-23T14:00:05.470947+00:00'
t2 = '2018-08-22T14:00:05.470947+00:00'
t3 = '2018-08-24T14:00:05.470947+00:00'
t = Time()
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
t.incident_closed = t3
incident.time = t
# Additional Attributes
incident.add_category('Unauthorized Access')
incident.add_intended_effect('Destruction')
incident.confidence = 'High'
