def setDates(incident, date, published):
timestamp=getDateFromTimestamp(published)
incident.timestamp=timestamp
incident_time = Time()
incident_time.incident_discovery = convertToStixDate(date)
incident_time.incident_reported = timestamp
incident.time = incident_time
def setDates(incident, date, published):
timestamp = getDateFromTimestamp(published)
incident.timestamp = timestamp
incident_time = Time()
incident_time.incident_discovery = convertToStixDate(date)
incident_time.incident_reported = timestamp
incident.time = incident_time
def set_dates(self, incident, date, published):
timestamp = published
incident.timestamp = timestamp
incident_time = Time()
incident_time.incident_discovery = self.convert_to_stix_date(date)
incident_time.incident_reported = timestamp
incident.time = incident_time
def add_timeline_item(timeline_item, incident):
incident_time_item = timeline_item.get('incident')
if not incident_time_item:
error("Required 'incident' item is missing in 'timeline' item, skipping item")
return None
incident_date_time = convert_time_item_to_datetime(incident_time_item)
if not incident_date_time:
return None
complete = 0
time = Time()
time.initial_compromise = incident_date_time
complete += 1
compromise_item = timeline_item.get('compromise')
if compromise_item:
dt = convert_value_unit_to_datetime(compromise_item, incident_date_time, 'compromise')
if dt:
complete += 1
time.first_malicious_action = dt
discovery_item = timeline_item.get('discovery')
containment_item = timeline_item.get('containment')
if discovery_item:
dt = convert_value_unit_to_datetime(discovery_item, incident_date_time, 'discovery')
if dt:
complete += 1
time.incident_discovery = dt
exfiltration_item = timeline_item.get('exfiltration')
if exfiltration_item:
dt = convert_value_unit_to_datetime(exfiltration_item, incident_date_time, 'exfiltration')
if dt:
complete += 1
time.first_data_exfiltration = dt
# according to Kevin Thompson (Verizon), containment starts at discovery. Use others if it isn't available
if containment_item:
if time.incident_discovery:
timePoint = time.incident_discovery
elif time.first_data_exfiltration:
timePoint = time.first_data_exfiltration
warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' item is missing or not usable. Using the exfiltration datetime")
else:
timePoint = incident_date_time
warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' and 'exfitration' items are missing or not usable. Using the incident datetime")
dt = convert_value_unit_to_datetime(containment_item, timePoint, 'containment')
if dt:
complete += 1
time.containment_achieved = dt
incident.time = time
if complete > 3:
error("Found a possible good timeline")
from stix.ttp.behavior import AttackPattern
from stix.coa import CourseOfAction
fake = Faker()
# Basics
incident = Incident(title='We got hacked')
incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.'
# Dates/Times
t1 = '2018-08-23T14:00:05.470947+00:00'
t2 = '2018-08-22T14:00:05.470947+00:00'
t3 = '2018-08-24T14:00:05.470947+00:00'
t = Time()
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
t.incident_closed = t3
incident.time = t
# Additional Attributes
incident.add_category('Unauthorized Access')
incident.add_intended_effect('Destruction')
incident.confidence = 'High'
incident.add_discovery_method('NIDS')
