class IndirectImpactSummary(stix.Entity):
_namespace = "http://stix.mitre.org/Incident-1"
_binding = incident_binding
_binding_class = incident_binding.IndirectImpactSummaryType
loss_of_competitive_advantage = vocabs.VocabField("Loss_Of_Competitive_Advantage", vocabs.SecurityCompromise)
brand_and_market_damage = vocabs.VocabField("Brand_And_Market_Damage", vocabs.SecurityCompromise)
increased_operating_costs = vocabs.VocabField("Increased_Operating_Costs", vocabs.SecurityCompromise)
legal_and_regulatory_costs = vocabs.VocabField("Legal_And_Regulatory_Costs", vocabs.SecurityCompromise)
def __init__(self):
super(IndirectImpactSummary, self).__init__()
class PropertyAffected(stix.Entity):
_namespace = "http://stix.mitre.org/Incident-1"
_binding = incident_binding
_binding_class = incident_binding.PropertyAffectedType
property_ = vocabs.VocabField("Property",
vocabs.LossProperty,
key_name="property")
descriptions_of_effect = fields.TypedField("Description_Of_Effect",
StructuredTextList)
type_of_availability_loss = vocabs.VocabField("Type_Of_Availability_Loss",
vocabs.AvailabilityLossType)
duration_of_availability_loss = vocabs.VocabField(
"Duration_Of_Availability_Loss", vocabs.LossDuration)
non_public_data_compromised = fields.TypedField(
"Non_Public_Data_Compromised", NonPublicDataCompromised)
def __init__(self):
super(PropertyAffected, self).__init__()
self.descriptions_of_effect = StructuredTextList()
@property
def description_of_effect(self):
"""A :class:`.StructuredTextList` object, containing descriptions about
the purpose or intent of this object.
Iterating over this object will yield its contents sorted by their
``ordinality`` value.
Default Value: Empty :class:`.StructuredTextList` object.
Note:
IF this is set to a value that is not an instance of
:class:`.StructuredText`, an effort will ne made to convert it.
If this is set to an iterable, any values contained that are not
an instance of :class:`.StructuredText` will be be converted.
Returns:
An instance of
:class:`.StructuredTextList`
"""
return next(iter(self.descriptions_of_effect), None)
@description_of_effect.setter
def description_of_effect(self, value):
self.descriptions_of_effect = value
class VictimTargeting(stix.Entity):
_binding = ttp_binding
_binding_class = _binding.VictimTargetingType
_namespace = "http://stix.mitre.org/TTP-1"
identity = fields.TypedField("Identity", Identity, factory=IdentityFactory)
targeted_systems = vocabs.VocabField("Targeted_Systems", vocabs.SystemType, multiple=True)
targeted_information = vocabs.VocabField("Targeted_Information", vocabs.InformationType, multiple=True)
targeted_technical_details = fields.TypedField("Targeted_Technical_Details", Observables)
def __init__(self):
super(VictimTargeting, self).__init__()
def add_targeted_system(self, system):
self.targeted_systems.append(system)
def add_targeted_information(self, targeted_information):
self.targeted_information.append(targeted_information)
class ImpactAssessment(stix.Entity):
_namespace = "http://stix.mitre.org/Incident-1"
_binding = incident_binding
_binding_class = incident_binding.ImpactAssessmentType
direct_impact_summary = fields.TypedField("Direct_Impact_Summary",
DirectImpactSummary)
indirect_impact_summary = fields.TypedField("Indirect_Impact_Summary",
IndirectImpactSummary)
total_loss_estimation = fields.TypedField("Total_Loss_Estimation",
TotalLossEstimation)
impact_qualification = vocabs.VocabField("Impact_Qualification",
vocabs.ImpactQualification)
effects = fields.TypedField(
"Effects", type_="stix.incident.impact_assessment.Effects")
def __init__(self):
super(ImpactAssessment, self).__init__()
self.direct_impact_summary = None
self.indirect_impact_summary = None
self.total_loss_estimation = None
self.impact_qualification = None
self.effects = None
class AffectedAsset(stix.Entity):
_namespace = "http://stix.mitre.org/Incident-1"
_binding = incident_binding
_binding_class = incident_binding.AffectedAssetType
descriptions = fields.TypedField("Description", StructuredTextList)
business_function_or_roles = fields.TypedField("Business_Function_Or_Role",
StructuredTextList)
ownership_class = vocabs.VocabField("Ownership_Class",
vocabs.OwnershipClass)
management_class = vocabs.VocabField("Management_Class",
vocabs.ManagementClass)
location_class = vocabs.VocabField("Location_Class", vocabs.LocationClass)
# location = fields.TypedField("Location")
nature_of_security_effect = fields.TypedField(
"Nature_Of_Security_Effect",
type_="stix.incident.affected_asset.NatureOfSecurityEffect")
structured_description = fields.TypedField("Structured_Description",
Observables)
type_ = fields.TypedField("Type",
type_="stix.incident.affected_asset.AssetType",
key_name="type")
def __init__(self):
super(AffectedAsset, self).__init__()
self.description = StructuredTextList()
self.business_function_or_role = StructuredTextList()
@property
def description(self):
"""A single description about the contents or purpose of this object.
Default Value: ``None``
Note:
If this object has more than one description set, this will return
the description with the lowest ordinality value.
Returns:
An instance of
:class:`.StructuredText`
"""
return next(iter(self.descriptions), None)
@description.setter
def description(self, value):
self.descriptions = value
def add_description(self, description):
"""Adds a description to the ``descriptions`` collection.
This is the same as calling "foo.descriptions.add(bar)".
"""
self.descriptions.add(description)
@property
def business_function_or_role(self):
return next(iter(self.business_functions_or_roles), None)
@business_function_or_role.setter
def business_function_or_role(self, value):
self.business_functions_or_roles = value
def add_property_affected(self, v):
self.nature_of_security_effect.append(v)
class Incident(stix.BaseCoreComponent):
"""Implementation of the STIX Incident.
Args:
id_ (optional): An identifier. If ``None``, a value will be generated
via ``mixbox.idgen.create_id()``. If set, this will unset the
``idref`` property.
idref (optional): An identifier reference. If set this will unset the
``id_`` property.
timestamp (optional): A timestamp value. Can be an instance of
``datetime.datetime`` or ``str``.
description: A description of the purpose or intent of this object.
short_description: A short description of the intent
or purpose of this object.
title: The title of this object.
"""
_binding = incident_binding
_binding_class = _binding.IncidentType
_namespace = "http://stix.mitre.org/Incident-1"
_version = "1.2"
_ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2")
_ID_PREFIX = 'incident'
status = vocabs.VocabField("Status", vocabs.IncidentStatus)
time = fields.TypedField("Time", Time)
victims = fields.TypedField("Victim", Identity, factory=IdentityFactory, multiple=True, key_name="victims")
attributed_threat_actors = fields.TypedField("Attributed_Threat_Actors", type_="stix.incident.AttributedThreatActors")
related_indicators = fields.TypedField("Related_Indicators", type_="stix.incident.RelatedIndicators")
related_observables = fields.TypedField("Related_Observables", type_="stix.incident.RelatedObservables")
related_incidents = fields.TypedField("Related_Incidents", type_="stix.incident.RelatedIncidents")
related_packages = fields.TypedField("Related_Packages", RelatedPackageRefs)
affected_assets = fields.TypedField("Affected_Assets", type_="stix.incident.AffectedAssets")
categories = fields.TypedField("Categories", type_="stix.incident.IncidentCategories")
intended_effects = StatementField("Intended_Effect", Statement, vocab_type=vocabs.IntendedEffect, multiple=True, key_name="intended_effects")
leveraged_ttps = fields.TypedField("Leveraged_TTPs", type_="stix.incident.LeveragedTTPs")
discovery_methods = vocabs.VocabField("Discovery_Method", vocabs.DiscoveryMethod, multiple=True, key_name="discovery_methods")
reporter = fields.TypedField("Reporter", InformationSource)
responders = fields.TypedField("Responder", InformationSource, multiple=True, key_name="responders")
coordinators = fields.TypedField("Coordinator", InformationSource, multiple=True, key_name="coordinators")
external_ids = fields.TypedField("External_ID", ExternalID, multiple=True, key_name="external_ids")
impact_assessment = fields.TypedField("Impact_Assessment", ImpactAssessment)
security_compromise = vocabs.VocabField("Security_Compromise", vocabs.SecurityCompromise)
confidence = fields.TypedField("Confidence", Confidence)
coa_taken = fields.TypedField("COA_Taken", COATaken, multiple=True)
coa_requested = fields.TypedField("COA_Requested", COARequested, multiple=True)
history = fields.TypedField("History", History)
information_source = fields.TypedField("Information_Source", InformationSource)
url = fields.TypedField("URL")
contacts = fields.TypedField("Contact", InformationSource, multiple=True, key_name="contacts")
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None):
super(Incident, self).__init__(
id_=id_,
idref=idref,
timestamp=timestamp,
title=title,
description=description,
short_description=short_description
)
self.related_indicators = RelatedIndicators()
self.related_observables = RelatedObservables()
self.related_incidents = RelatedIncidents()
self.related_packages = RelatedPackageRefs()
self.categories = IncidentCategories()
self.affected_assets = AffectedAssets()
self.leveraged_ttps = LeveragedTTPs()
def add_intended_effect(self, value):
"""Adds a :class:`.Statement` object to the :attr:`intended_effects`
collection.
If `value` is a string, an attempt will be made to convert it into an
instance of :class:`.Statement`.
"""
self.intended_effects.append(value)
def add_leveraged_ttps(self, ttp):
"""Adds a :class:`.RelatedTTP` value to the :attr:`leveraged_ttps`
collection.
"""
self.leveraged_ttps.append(ttp)
def add_victim(self, victim):
"""Adds a :class:`.IdentityType` value to the :attr:`victims`
collection.
"""
self.victims.append(victim)
def add_category(self, category):
"""Adds a :class:`.VocabString` object to the :attr:`categories`
collection.
If `category` is a string, an attempt will be made to convert it into
an instance of :class:`.IncidentCategory`.
"""
self.categories.append(category)
def add_affected_asset(self, v):
"""Adds a :class:`.AffectedAsset` object to the :attr:`affected_assets`
collection.
"""
self.affected_assets.append(v)
def add_discovery_method(self, value):
"""Adds a :class:`.VocabString` object to the :attr:`discovery_methods`
collection.
If `value` is a string, an attempt will be made to convert it to an
instance of :class:`.DiscoveryMethod`.
"""
self.discovery_methods.append(value)
def add_responder(self, value):
"""Adds a :class:`.InformationSource` object to the :attr:`responders`
collection.
"""
self.responders.append(value)
def add_coordinator(self, value):
"""Adds a :class:`.InformationSource` object to the :attr:`coordinators`
collection.
"""
self.coordinators.append(value)
def add_external_id(self, value):
"""Adds a :class:`.ExternalID` object to the :attr:`external_ids`
collection.
"""
self.external_ids.append(value)
def add_coa_taken(self, value):
"""Adds a :class:`.COATaken` object to the :attr:`coas_taken`
collection.
"""
self.coa_taken.append(value)
def add_coa_requested(self, value):
"""Adds a :class:`.COARequested` object to the :attr:`coas_requested`
collection.
"""
self.coa_requested.append(value)
def add_related_indicator(self, value):
"""Adds an Related Indicator to the :attr:`related_indicators` list
property of this :class:`Incident`.
The `indicator` parameter must be an instance of
:class:`.RelatedIndicator` or :class:`Indicator`.
If the `indicator` parameter is ``None``, no item will be added to the
``related_indicators`` list property.
Calling this method is the same as calling ``append()`` on the
``related_indicators`` property.
See Also:
The :class:`RelatedIndicators` documentation.
Note:
If the `indicator` parameter is not an instance of
:class:`.RelatedIndicator` an attempt will be
made to convert it to one.
Args:
indicator: An instance of :class:`Indicator` or
:class:`.RelatedIndicator`.
Raises:
ValueError: If the `indicator` parameter cannot be converted into
an instance of :class:`.RelatedIndicator`
"""
self.related_indicators.append(value)
def add_related_observable(self, value):
"""Adds a Related Observable to the ``related_observables`` list
property of this :class:`Incident`.
The `observable` parameter must be an instance of
:class:`.RelatedObservable` or :class:`Observable`.
If the `observable` parameter is ``None``, no item will be added to the
``related_observables`` list property.
Calling this method is the same as calling ``append()`` on the
``related_observables`` property.
See Also:
The :class:`RelatedObservables` documentation.
Note:
If the `observable` parameter is not an instance of
:class:`.RelatedObservable` an attempt will be
made to convert it to one.
Args:
observable: An instance of :class:`Observable` or
:class:`.RelatedObservable`.
Raises:
ValueError: If the `value` parameter cannot be converted into
an instance of :class:`.RelatedObservable`
"""
self.related_observables.append(value)
def add_related_package(self, value):
self.related_packages.append(value)
def add_related_incidents(self, value):
self.related_incidents.append(value)
class MalwareInstance(stix.Entity):
_binding = ttp_binding
_binding_class = _binding.MalwareInstanceType
_namespace = "http://stix.mitre.org/TTP-1"
_XSI_TYPE = None # defined by subclasses
id_ = fields.IdField("id")
idref = fields.IdrefField("idref")
title = fields.TypedField("Title")
descriptions = fields.TypedField("Description",
type_="stix.common.StructuredTextList")
short_descriptions = fields.TypedField(
"Short_Description", type_="stix.common.StructuredTextList")
names = vocabs.VocabField("Name",
type_=VocabString,
multiple=True,
key_name="names")
types = vocabs.VocabField("Type",
type_=vocabs.MalwareType,
multiple=True,
key_name="types")
def __init__(self,
id_=None,
idref=None,
title=None,
description=None,
short_description=None):
super(MalwareInstance, self).__init__()
self.id_ = id_
self.idref = idref
self.title = title
self.description = StructuredTextList(description)
self.short_description = StructuredTextList(short_description)
@property
def description(self):
"""A single description about the contents or purpose of this object.
Default Value: ``None``
Note:
If this object has more than one description set, this will return
the description with the lowest ordinality value.
Returns:
An instance of :class:`.StructuredText`
"""
if self.descriptions is None:
self.descriptions = StructuredTextList()
return next(iter(self.descriptions), None)
@description.setter
def description(self, value):
self.descriptions = value
def add_description(self, description):
"""Adds a description to the ``descriptions`` collection.
This is the same as calling "foo.descriptions.add(bar)".
"""
self.descriptions.add(description)
@property
def short_description(self):
"""A single short description about the contents or purpose of this
object.
Default Value: ``None``
Note:
If this object has more than one short description set, this will
return the description with the lowest ordinality value.
Returns:
An instance of :class:`.StructuredText`
"""
if self.short_descriptions is None:
self.short_descriptions = []
return next(iter(self.short_descriptions), None)
@short_description.setter
def short_description(self, value):
self.short_descriptions = value
def add_short_description(self, description):
"""Adds a description to the ``short_descriptions`` collection.
This is the same as calling "foo.short_descriptions.add(bar)".
"""
self.short_descriptions.add(description)
def add_name(self, name):
self.names.append(name)
def add_type(self, type_):
self.types.append(type_)
@staticmethod
def lookup_class(xsi_type):
if not xsi_type:
raise ValueError("xsi:type is required")
return stix.lookup_extension(xsi_type)
