def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print(pkg.to_xml(encoding=None))
def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print pkg.to_xml()
def buildCoa(input_dict): # add incident and confidence coa = CourseOfAction() coa.title = input_dict['title'] coa.description = input_dict['description'] if input_dict['stage']: coa.stage = input_dict['stage'] if input_dict['type']: coa.type = input_dict['type'] if input_dict['objective']: coa.objective = Objective(input_dict['objective']) if input_dict['impact']: coa.impact = input_dict['impact'] if input_dict['cost']: coa.cost = input_dict['cost'] if input_dict['efficacy']: coa.efficacy = input_dict['efficacy'] if input_dict['informationSource']: coa.information_source = InformationSource(input_dict['informationSource']) return coa
# Basics coa = CourseOfAction( title='Block traffic to Malicious C2 Server ({})'.format(ip)) coa.description = 'Maecenas sed diam eget risus varius blandit sit amet non magna.' coa.short_description = 'Tristique Venenatis Tortor Mollis Vestibulum' # Objective obj = Objective() obj.description = 'Block communication between the infected agents and the C2 Server' obj.short_description = 'Block traffic' obj.applicability_confidence = Confidence(HighMediumLow('High')) coa.objective = obj # Attributes coa.impact = HighMediumLow('Medium') coa.cost = HighMediumLow('Low') coa.efficacy = HighMediumLow('High') coa.stage = COAStage('Response') coa.type_ = CourseOfActionType('Perimeter Blocking') # Related Observable (by id) addr = Address(address_value=ip, category=Address.CAT_IPV4) observable = Observable(addr) coa.parameter_observables = Observables(observables=Observable( idref=observable.id_)) # Related CoA (basic; by id) coa2 = CourseOfAction(title='Block domain traffic to {}'.format(domain)) related_coa = RelatedCOA(CourseOfAction(idref=coa2.id_)) coa.related_coas.append(related_coa)