activity = Activity()
activity.description = 'Foo'
campaign.add_activity(activity)
campaign.add_intended_effect(IntendedEffect('Extortion'))
campaign.status = CampaignStatus('Ongoing')
campaign.confidence = HighMediumLow('Medium')
# Related TTP (basic; by id)
ttp = TTP(title="Malware Variant XYZ")
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
campaign.related_ttps.append(related_ttp)
# Related Incident (basic; by id)
incident = Incident(title='We got hacked')
t = Time()
t.incident_opened = '2018-09-11'
incident.time = t
related_incident = RelatedIncident(Incident(idref=incident.id_))
campaign.related_incidents.append(related_incident)
# Related Indicator (by id)
fake = Faker()
indicator = Indicator()
addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)
indicator.add_observable(addr2)
related_indicator = RelatedIndicator(Indicator(idref=indicator.id_))
campaign.related_indicators.append(related_indicator)
# Related Threat Actor (by id)
ta = ThreatActor(title='Albino Rhino')
attrib_ta = Attribution()
from stix.ttp import TTP, Behavior
from stix.ttp.behavior import AttackPattern
from stix.coa import CourseOfAction
fake = Faker()
# Basics
incident = Incident(title='We got hacked')
incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.'
# Dates/Times
t1 = '2018-08-23T14:00:05.470947+00:00'
t2 = '2018-08-22T14:00:05.470947+00:00'
t3 = '2018-08-24T14:00:05.470947+00:00'
t = Time()
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
t.incident_closed = t3
incident.time = t
# Additional Attributes
incident.add_category('Unauthorized Access')
incident.add_intended_effect('Destruction')
incident.confidence = 'High'
incident.add_discovery_method('NIDS')
