def build(self) -> Bundle:
"""Build YARA rule bundle."""
# Create bundle with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create intrusion sets and add to bundle.
intrusion_sets = self._create_intrusion_sets()
bundle_objects.extend(intrusion_sets)
# Create malwares and add to bundle.
malwares = self._create_malwares()
bundle_objects.extend(malwares)
# Intrusion sets use malwares and add to bundle.
intrusion_sets_use_malwares = self._create_uses_relationships(
intrusion_sets, malwares)
bundle_objects.extend(intrusion_sets_use_malwares)
# Create indicators and add to bundle.
indicators = self._create_indicators()
bundle_objects.extend(indicators)
# Indicator indicates entities, add to bundle.
indicator_indicates = intrusion_sets + malwares
indicator_indicates_entities = self._create_indicates_relationships(
indicators, indicator_indicates)
bundle_objects.extend(indicator_indicates_entities)
# Create object references for the report.
object_refs = create_object_refs(
intrusion_sets,
malwares,
intrusion_sets_use_malwares,
indicators,
indicator_indicates_entities,
)
# Create reports and add to bundle.
reports = self._create_reports(object_refs)
bundle_objects.extend(reports)
return Bundle(objects=bundle_objects)
def build(self) -> Optional[Bundle]:
"""Build indicator bundle."""
# Create bundle with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_marking_refs)
# Create intrusion sets and add to bundle.
intrusion_sets = self._create_intrusion_sets()
bundle_objects.extend(intrusion_sets)
# Create kill chain phases.
kill_chain_phases = self._create_kill_chain_phases()
# Create malwares and add to bundle.
malwares = self._create_malwares(kill_chain_phases)
bundle_objects.extend(malwares)
# Intrusion sets use malwares, add to bundle.
intrusion_sets_use_malwares = self._create_uses_relationships(
intrusion_sets, malwares)
bundle_objects.extend(intrusion_sets_use_malwares)
# Create target sectors and add to bundle.
target_sectors = self._create_targeted_sectors()
bundle_objects.extend(target_sectors)
# Intrusion sets target sectors, add to bundle.
intrusion_sets_target_sectors = self._create_targets_relationships(
intrusion_sets, target_sectors)
bundle_objects.extend(intrusion_sets_target_sectors)
# Malwares target sectors, add to bundle.
malwares_target_sectors = self._create_targets_relationships(
malwares, target_sectors)
bundle_objects.extend(malwares_target_sectors)
# Create vulnerabilities and add to bundle.
vulnerabilities = self._create_vulnerabilities()
bundle_objects.extend(vulnerabilities)
# Intrusion sets target vulnerabilities, add to bundle.
intrusion_sets_target_vulnerabilities = self._create_targets_relationships(
intrusion_sets, vulnerabilities)
bundle_objects.extend(intrusion_sets_target_vulnerabilities)
# Malwares target vulnerabilities, add to bundle.
malwares_target_vulnerabilities = self._create_targets_relationships(
malwares, vulnerabilities)
bundle_objects.extend(malwares_target_vulnerabilities)
# Create an indicators and add to bundle.
indicators = self._create_indicators(kill_chain_phases)
bundle_objects.extend(indicators)
# Indicator(s) indicate entities, add to bundle.
entities = intrusion_sets + malwares
indicator_indicates_entities = self._create_indicates_relationships(
indicators, entities)
bundle_objects.extend(indicator_indicates_entities)
# Create object references for the report.
object_refs = create_object_refs(
intrusion_sets,
malwares,
intrusion_sets_use_malwares,
target_sectors,
intrusion_sets_target_sectors,
malwares_target_sectors,
vulnerabilities,
intrusion_sets_target_vulnerabilities,
malwares_target_vulnerabilities,
indicators,
indicator_indicates_entities,
)
# Create reports and add to bundle.
reports = self._create_reports(object_refs)
bundle_objects.extend(reports)
return Bundle(objects=bundle_objects)
def build(self) -> Bundle:
"""Build report bundle."""
# Create bundle with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create intrusion sets and add to bundle.
intrusion_sets = self._create_intrusion_sets()
bundle_objects.extend(intrusion_sets)
# Create malwares and add to bundle.
malwares = self._create_malwares()
bundle_objects.extend(malwares)
# Intrusion sets use malwares and add to bundle.
intrusion_sets_use_malwares = self._create_uses_relationships(
intrusion_sets, malwares
)
bundle_objects.extend(intrusion_sets_use_malwares)
# Create target sectors and add to bundle.
target_sectors = self._create_targeted_sectors()
bundle_objects.extend(target_sectors)
# Intrusion sets target sectors and add to bundle.
intrusion_sets_target_sectors = self._create_targets_relationships(
intrusion_sets, target_sectors
)
bundle_objects.extend(intrusion_sets_target_sectors)
# Malwares target sectors and add to bundle.
malwares_target_sectors = self._create_targets_relationships(
malwares, target_sectors
)
bundle_objects.extend(malwares_target_sectors)
# Create targeted countries and regions and add to bundle.
target_regions, target_countries = self._create_targeted_regions_and_countries()
bundle_objects.extend(target_regions)
bundle_objects.extend(target_countries)
# Intrusion sets target regions and add to bundle.
intrusion_sets_target_regions = self._create_targets_relationships(
intrusion_sets, target_regions
)
bundle_objects.extend(intrusion_sets_target_regions)
# Intrusion sets target countries and add to bundle.
intrusion_sets_target_countries = self._create_targets_relationships(
intrusion_sets, target_countries
)
bundle_objects.extend(intrusion_sets_target_countries)
# Malwares target regions and add to bundle.
malwares_target_regions = self._create_targets_relationships(
malwares, target_regions
)
bundle_objects.extend(malwares_target_regions)
# Malwares target countries and add to bundle.
malwares_target_countries = self._create_targets_relationships(
malwares, target_countries
)
bundle_objects.extend(malwares_target_countries)
# Create object references for the report.
object_refs = create_object_refs(
intrusion_sets,
malwares,
intrusion_sets_use_malwares,
target_sectors,
intrusion_sets_target_sectors,
malwares_target_sectors,
target_regions,
target_countries,
intrusion_sets_target_regions,
intrusion_sets_target_countries,
malwares_target_regions,
malwares_target_countries,
)
# TODO: Ignore reports without any references or not?
# Hack, the report must have at least on object reference.
if not object_refs:
dummy_object = self._create_dummy_object()
bundle_objects.append(dummy_object)
object_refs.append(dummy_object)
report = self._create_report(object_refs)
bundle_objects.append(report)
return Bundle(objects=bundle_objects)
def build(self) -> Optional[Bundle]:
"""Build indicator bundle."""
# Create bundle with author.
bundle_objects = [self.author]
# Add object marking definitions to bundle.
bundle_objects.extend(self.object_markings)
# Create intrusion sets and add to bundle.
intrusion_sets = self._create_intrusion_sets()
bundle_objects.extend(intrusion_sets)
# Create kill chain phases.
kill_chain_phases = self._create_kill_chain_phases()
# Create malwares and add to bundle.
malwares = self._create_malwares(kill_chain_phases)
bundle_objects.extend(malwares)
# Intrusion sets use malwares and add to bundle.
intrusion_sets_use_malwares = self._create_uses_relationships(
intrusion_sets, malwares)
bundle_objects.extend(intrusion_sets_use_malwares)
# Create target sectors and add to bundle.
target_sectors = self._create_targeted_sectors()
bundle_objects.extend(target_sectors)
# Intrusion sets target sectors and add to bundle.
intrusion_sets_target_sectors = self._create_targets_relationships(
intrusion_sets, target_sectors)
bundle_objects.extend(intrusion_sets_target_sectors)
# Malwares target sectors and add to bundle.
malwares_target_sectors = self._create_targets_relationships(
malwares, target_sectors)
bundle_objects.extend(malwares_target_sectors)
# Create vulnerabilities and add to bundle.
vulnerabilities = self._create_vulnerabilities()
bundle_objects.extend(vulnerabilities)
# Intrusion sets target vulnerabilities and add to bundle.
intrusion_sets_target_vulnerabilities = self._create_targets_relationships(
intrusion_sets, vulnerabilities)
bundle_objects.extend(intrusion_sets_target_vulnerabilities)
# Malwares target vulnerabilities and add to bundle.
malwares_target_vulnerabilities = self._create_targets_relationships(
malwares, vulnerabilities)
bundle_objects.extend(malwares_target_vulnerabilities)
# Create observations.
observation = self._create_observation(kill_chain_phases)
if observation is None:
logger.error("No indicator nor observable for %s",
self.indicator.id)
return None
# Get observables and add to bundle.
observables = []
if observation.observable is not None:
observables.append(observation.observable)
bundle_objects.extend(observables)
# Get indicators and to bundle.
indicators = []
if observation.indicator is not None:
indicators.append(observation.indicator)
bundle_objects.extend(indicators)
# Get observation relationships and add to bundle.
indicators_based_on_observables = []
if observation.relationship is not None:
indicators_based_on_observables.append(observation.relationship)
bundle_objects.extend(indicators_based_on_observables)
# Indicator(s) indicate entities and add to bundle.
indicator_indicates = intrusion_sets + malwares
indicator_indicates_entities = self._create_indicates_relationships(
indicators, indicator_indicates)
bundle_objects.extend(indicator_indicates_entities)
# Create object references for the report.
object_refs = create_object_refs(
intrusion_sets,
malwares,
intrusion_sets_use_malwares,
target_sectors,
intrusion_sets_target_sectors,
malwares_target_sectors,
vulnerabilities,
intrusion_sets_target_vulnerabilities,
malwares_target_vulnerabilities,
observables,
indicators,
indicators_based_on_observables,
indicator_indicates_entities,
)
# Create reports and add to bundle.
reports = self._create_reports(object_refs)
bundle_objects.extend(reports)
# XXX: Without allow_custom=True the observable with the custom property
# will cause an unexpected property (x_opencti_score) error.
return Bundle(objects=bundle_objects, allow_custom=True)