def convert_report(r20): r1x = Report(id_=convert_id20(r20["id"]), timestamp=text_type(r20["modified"])) r1x.header = Header() if "name" in r20: r1x.header.title = r20["name"] if "description" in r20: r1x.header.add_description(r20["description"]) intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"], REPORT_LABELS_MAP) for i in intents: r1x.header.add_intent(i) if "published" in r20: add_missing_property_to_description(r1x.header, "published", r20["published"]) for ref in r20["object_refs"]: ref_type = get_type_from_id(ref) ref1x = convert_id20(ref) if ref_type == "attack-pattern": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "campaign": r1x.add_campaign(Campaign(idref=ref1x)) elif ref_type == 'course-of-action': r1x.add_course_of_action(CourseOfAction(idref=ref1x)) elif ref_type == "indicator": r1x.add_indicator(Indicator(idref=ref1x)) elif ref_type == "observed-data": r1x.add_observable(Observable(idref=ref1x)) elif ref_type == "malware": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "threat-actor": r1x.add_threat_actor(ThreatActor(idref=ref1x)) elif ref_type == "tool": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "vulnerability": r1x.add_exploit_target(ExploitTarget(idref=ref1x)) elif ref_type == "identity" or ref_type == "relationship": warn("%s in %s is not explicitly a member of a STIX 1.x report", 703, ref, r20["id"]) elif ref_type == "intrusion-set": warn("%s in %s cannot be represented in STIX 1.x", 612, ref, r20["id"]) else: warn("ref type %s in %s is not known", 0, ref_type, r20["id"]) if "object_marking_refs" in r20: for m_id in r20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(r1x, ms, descendants=True) if "granular_markings" in r20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, r20["id"]) return r1x
def build_stix( input_dict ): # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "TTP " + input_dict['title'] # Add handling requirements if needed if input_dict['marking']: mark = SimpleMarkingStructure() mark.statement = input_dict['marking'] mark_spec = MarkingSpecification() mark_spec.marking_structures.append(mark) stix_header.handling = Marking(mark_spec) stix_package.stix_header = stix_header report = Report() if input_dict['incidents']: for each in input_dict['incidents'].split(','): result = query_db('select * from incidents where id = ?', [each], one=True) report.add_incident(buildIncident(result)) if input_dict['ttps']: for each in input_dict['ttps'].split(','): result = query_db('select * from ttps where id = ?', [each], one=True) report.add_ttp(buildTtp(result)) if input_dict['indicators']: for each in input_dict['indicators'].split(','): result = query_db('select * from indicators where id = ?', [each], one=True) report.add_indicator(buildIndicator(result)) if input_dict['observables']: for each in input_dict['observables'].split(','): result = query_db('select * from observables where id = ?', [each], one=True) report.add_observable(buildObservable(result)) if input_dict['threatActors']: for each in input_dict['threatActors'].split(','): result = query_db('select * from threatActors where id = ?', [each], one=True) report.add_threat_actor(buildThreatActor(result)) if input_dict['targets']: for each in input_dict['targets'].split(','): result = query_db('select * from targets where id = ?', [each], one=True) report.add_exploit_target(buildTarget(result)) if input_dict['coas']: for each in input_dict['coas'].split(','): result = query_db('select * from coas where id = ?', [each], one=True) report.add_course_of_action(buildCoa(result)) if input_dict['campaigns']: for each in input_dict['campaigns'].split(','): result = query_db('select * from campaigns where id = ?', [each], one=True) report.add_campaign(buildCampaign(result)) stix_package.add_report(report) return stix_package
def transform(addsec_data): # # Parse the Addition Security protobuf object, which contains a STIX report representation # as_report = addsec_cti_pb2.Report() as_report.ParseFromString(addsec_data) # # Create a new STIX package & report container # stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.description = "Addition Security Report" stix_report = Report() # # Addition Security includes various identification information re: the entity of the report. # We are going to convert it into three CybOX objects: Product, Device, and Custom # cybox_product = Product() cybox_product.product = "MobileAwareness" cybox_product.vendor = "Addition Security" cybox_device = Device() cybox_device.device_type = "Mobile Device" cybox_custom_sourceapp = Custom() cybox_custom_sourceapp.custom_name = "addsec:sourceApplication" cybox_custom_sourceapp.custom_properties = CustomProperties() p = Property() p.name = "organizationId" p.value = as_report.organizationId.encode( 'hex') # NOTE: this is binary bytes cybox_custom_sourceapp.custom_properties.append(p) p = Property() p.name = "application" p.value = as_report.applicationId # NOTE: bundleId/packageId of hosting app cybox_custom_sourceapp.custom_properties.append(p) p = Property() p.name = "instanceId" p.value = as_report.systemId.encode('hex') # NOTE: this is binary bytes cybox_custom_sourceapp.custom_properties.append(p) stix_report.add_observable(cybox_product) stix_report.add_observable(cybox_device) stix_report.add_observable(cybox_custom_sourceapp) # # Enumerate the Addition Security reported sightings # for as_sighting in as_report.observations: # # Addition Security lets customers transit custom messages over the reporting channel; these # messages show up as a "Customer Message" indicator with string-based payload. Since these # messages are both proprietary in nature and potentially unrelated to STIX, we are going to # filter them out from this processing. # if as_sighting.observationType == 8: continue # 8: CustomerData # # Sightings are used to report device information as well; let's expel device-related # sightings and re-route their data into the CybOX device object (instead of including # as an indicator w/ sighting) # if as_sighting.testId == 1 or as_sighting.testId == 2: # addsec_to_cybox_device(cybox_device, as_sighting) continue # Ditto for reported product information as well if as_sighting.testId == 8: # 8: SDKVersionInfo addsec_to_cybox_product(cybox_product, as_sighting) continue # # Compose a STIX-appropriate indicator value from the Addition Security indicator ID & SubID # indicator_id = "addsec:asma-%d-%d" % (as_sighting.testId, as_sighting.testSubId) stix_indicator = Indicator(id_=indicator_id) stix_indicator.title = addsec_title_lookup(as_sighting.testId, as_sighting.testSubId) # # Create a sighting for this indicator # stix_sighting = Sighting() stix_indicator.sightings = stix_sighting stix_sighting.timestamp = datetime.datetime.fromtimestamp( as_sighting.timestamp) if as_sighting.confidence > 0: stix_sighting.confidence = addsec_to_stix_confidence( as_sighting.confidence) # # Enumerate the observables for this sighting # for as_observable in as_sighting.datas: cybox_obj = addsec_to_cybox(as_observable.dataType, as_observable.data) if not cybox_obj is None: stix_sighting.related_observables.append( RelatedObservable(Observable(cybox_obj))) # # Finally, add this indicator (w/ sightings & related observables) to the top level report # stix_report.add_indicator(stix_indicator) # # Finalize the STIX report and output the XML # stix_package.reports = stix_report return stix_package.to_xml()