Merge pull request #32 from os-threat/incident

Incident
os-threat · Aug 23, 2023 · 4e7df5d · 4e7df5d
2 parents 6556788 + f6de2ca
commit 4e7df5d
Show file tree

Hide file tree

Showing 22 changed files with 145 additions and 48 deletions.
diff --git a/stixorm/module/authorise.py b/stixorm/module/authorise.py
@@ -8,6 +8,7 @@
 from stixorm.module.typedb_lib.factories.process_map_factory import ProcessMapFactory
 
 logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
 
 
 

diff --git a/stixorm/module/definitions/os_threat/classes.py b/stixorm/module/definitions/os_threat/classes.py
@@ -348,20 +348,20 @@ class IncidentCoreExt(_Extension):
 
     _type = 'extension-definition--ef765651-680c-498d-9894-99799f2fa126'
     _properties = OrderedDict([
-        ('determination', StringProperty()),
         ('extension_type', StringProperty(fixed='property-extension')),
         ('investigation_status', StringProperty()),
-        ('criticality', IntegerProperty(min=0)),
         ('blocked', BooleanProperty()),
         ('malicious', BooleanProperty()),
+        ('criticality', IntegerProperty(min=0)),
+        ('determination', StringProperty()),
+        ('incident_types', ListProperty(StringProperty)),
         ('impacted_entity_counts', EmbeddedObjectProperty(type=EntityCountObject)),
         ('recoverability', ListProperty(StringProperty)),
-        ('scores', EmbeddedObjectProperty(type=IncidentScoreObject)),
-        ('incident_types', ListProperty(StringProperty)),
+        ('scores', ListProperty(EmbeddedObjectProperty(type=IncidentScoreObject))),
         ('task_refs', ListProperty(ThreatReference(valid_types='task'))),
         ('event_refs', ListProperty(ThreatReference(valid_types='event'))),
         ('impact_refs', ListProperty(ThreatReference(valid_types='impact'))),
-        ('notes_refs', ListProperty(ThreatReference(valid_types='notes'))),
+        ('notes_refs', ListProperty(ThreatReference(valid_types='note'))),
         ('evidence_refs', ListProperty(ThreatReference(valid_types='evidence'))),
     ])
 
@@ -393,7 +393,7 @@ class Task(_DomainObject):
         ('created', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')),
         ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')),
         ('changed_objects', ListProperty(EmbeddedObjectProperty(type=StateChangeObject))),
-        ('task_type', StringProperty()),
+        ('task_types', ListProperty(StringProperty)),
         ('step_type', StringProperty()),
         ('outcome', StringProperty()),
         ('description', StringProperty()),
@@ -416,7 +416,7 @@ class Task(_DomainObject):
         ('external_references', ListProperty(ExternalReference)),
         ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
         ('granular_markings', ListProperty(GranularMarking)),
-        ('extensions', ExtensionsProperty(spec_version='2.1')),
+        ('extensions', ThreatExtensionsProperty(spec_version='2.1')),
     ])
 
 
@@ -452,12 +452,13 @@ class Evidence(_DomainObject):
         ('evidence_type', StringProperty()),
         ('source', StringProperty()),
         ('object_refs', ListProperty(ThreatReference(valid_types=valid_obj, spec_version='2.1'))),
+        ('evidence_refs', ListProperty(ThreatReference(valid_types=valid_obj, spec_version='2.1'))),
         ('labels', ListProperty(StringProperty)),
         ('confidence', IntegerProperty()),
         ('lang', StringProperty()),
         ('external_references', ListProperty(ExternalReference)),
         ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
         ('granular_markings', ListProperty(GranularMarking)),
-        ('extensions', ExtensionsProperty(spec_version='2.1')),
+        ('extensions', ThreatExtensionsProperty(spec_version='2.1')),
     ])
 
diff --git a/stixorm/module/definitions/os_threat/data/evidence.json b/stixorm/module/definitions/os_threat/data/evidence.json
@@ -3,5 +3,6 @@
   "description": "description",
   "evidence_type": "evidence-type",
   "source": "source",
-  "object_refs": ""
+  "object_refs": "",
+  "evidence_refs": ""
 }
diff --git a/stixorm/module/definitions/os_threat/data/task.json b/stixorm/module/definitions/os_threat/data/task.json
@@ -1,6 +1,6 @@
 {
   "changed_objects": "",
-  "task_type": "task-type",
+  "task_types": "task-types",
   "step_type": "step-type",
   "outcome": "outcome",
   "description": "description",

diff --git a/stixorm/module/definitions/os_threat/schema/cti-os-threat.tql b/stixorm/module/definitions/os_threat/schema/cti-os-threat.tql
@@ -89,7 +89,7 @@ define
     task sub stix-domain-object, abstract,
         owns step-type,
         owns outcome,
-        owns task-type,
+        owns task-types,
         owns description,
         owns name,
         owns end-time,
@@ -557,7 +557,7 @@ define
     evidence-type sub stix-attribute-string;
     source sub stix-attribute-string;
     outcome sub stix-attribute-string;
-    task-type sub stix-attribute-string;
+    task-types sub stix-attribute-string;
     step-type sub stix-attribute-string;
     error sub stix-attribute-string;
     determination sub stix-attribute-string;

diff --git a/...2074a052-8be4-4932-849e-f5e7798e0030.json → ...s_threat/sub_objects/event-extension.json b/...2074a052-8be4-4932-849e-f5e7798e0030.json → ...s_threat/sub_objects/event-extension.json
diff --git a/...4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json → ...hreat/sub_objects/evidence-extension.json b/...4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json → ...hreat/sub_objects/evidence-extension.json
diff --git a/...7cc33dd6-f6a1-489b-98ea-522d351d71b9.json → ..._threat/sub_objects/impact-extension.json b/...7cc33dd6-f6a1-489b-98ea-522d351d71b9.json → ..._threat/sub_objects/impact-extension.json
diff --git a/...ef765651-680c-498d-9894-99799f2fa126.json → ...s/os_threat/sub_objects/incident-ext.json b/...ef765651-680c-498d-9894-99799f2fa126.json → ...s/os_threat/sub_objects/incident-ext.json
diff --git a/...reat/sub_objects/state-change-object.json → ...s/os_threat/sub_objects/state-change.json b/...reat/sub_objects/state-change-object.json → ...s/os_threat/sub_objects/state-change.json
diff --git a/...7ff5b5a5-a342-417e-9c0d-339561d9d78a.json → ...os_threat/sub_objects/task-extension.json b/...7ff5b5a5-a342-417e-9c0d-339561d9d78a.json → ...os_threat/sub_objects/task-extension.json
diff --git a/stixorm/module/definitions/stix21/__init__.py b/stixorm/module/definitions/stix21/__init__.py
@@ -21,7 +21,7 @@
 import os
 from pathlib import Path
 from stixorm.module.definitions.stix21.classes import (
-    Note, ObservedData, Incident, Report
+    Note, ObservedData, Incident, Report, Relationship
 )
 from stix2.v21.sdo import (
     AttackPattern, Campaign, CourseOfAction, CustomObject, Grouping, Identity,
@@ -39,7 +39,7 @@
     WindowsProcessExt, WindowsRegistryKey, WindowsRegistryValueType,
     WindowsServiceExt, X509Certificate, X509V3ExtensionsType,
 )
-from stix2.v21.sro import Relationship, Sighting
+from stix2.v21.sro import Sighting
 from stix2.v21.common import MarkingDefinition
 
 name = "stix21"

diff --git a/stixorm/module/definitions/stix21/classes.py b/stixorm/module/definitions/stix21/classes.py
@@ -144,7 +144,10 @@ class Incident(_DomainObject):
         ('extensions', ThreatExtensionsProperty(spec_version='2.1')),
     ])
 
+
 valid_obj =  get_mapping_factory_instance().get_all_types()
+
+
 class Report(_DomainObject):
     """For more detailed information on this object's properties, see
     `the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_n8bjzg1ysgdq>`__.
@@ -171,4 +174,60 @@ class Report(_DomainObject):
         ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
         ('granular_markings', ListProperty(GranularMarking)),
         ('extensions', ExtensionsProperty(spec_version='2.1')),
-    ])
+    ])
+
+class Relationship(_RelationshipObject):
+    """For more detailed information on this object's properties, see
+    `the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_e2e1szrqfoan>`__.
+    """
+
+    _invalid_source_target_types = ['bundle', 'language-content', 'marking-definition', 'relationship', 'sighting']
+
+    _type = 'relationship'
+    _properties = OrderedDict([
+        ('type', TypeProperty(_type, spec_version='2.1')),
+        ('spec_version', StringProperty(fixed='2.1')),
+        ('id', IDProperty(_type, spec_version='2.1')),
+        ('created_by_ref', ReferenceProperty(valid_types='identity', spec_version='2.1')),
+        ('created', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')),
+        ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')),
+        ('relationship_type', StringProperty(required=True)),
+        ('description', StringProperty()),
+        ('source_ref', ThreatReference(valid_types=valid_obj, spec_version='2.1', required=True)),
+        ('target_ref', ThreatReference(valid_types=valid_obj, spec_version='2.1', required=True)),
+        ('start_time', TimestampProperty()),
+        ('stop_time', TimestampProperty()),
+        ('revoked', BooleanProperty(default=lambda: False)),
+        ('labels', ListProperty(StringProperty)),
+        ('confidence', IntegerProperty()),
+        ('lang', StringProperty()),
+        ('external_references', ListProperty(ExternalReference)),
+        ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
+        ('granular_markings', ListProperty(GranularMarking)),
+        ('extensions', ExtensionsProperty(spec_version='2.1')),
+    ])
+
+    # Explicitly define the first three kwargs to make readable Relationship declarations.
+    # def __init__(
+    #     self, source_ref=None, relationship_type=None,
+    #     target_ref=None, **kwargs
+    # ):
+    #     # Allow (source_ref, relationship_type, target_ref) as positional args.
+    #     if source_ref and not kwargs.get('source_ref'):
+    #         kwargs['source_ref'] = source_ref
+    #     if relationship_type and not kwargs.get('relationship_type'):
+    #         kwargs['relationship_type'] = relationship_type
+    #     if target_ref and not kwargs.get('target_ref'):
+    #         kwargs['target_ref'] = target_ref
+    #
+    #     super(Relationship, self).__init__(**kwargs)
+
+    def _check_object_constraints(self):
+        super(self.__class__, self)._check_object_constraints()
+
+        start_time = self.get('start_time')
+        stop_time = self.get('stop_time')
+
+        if start_time and stop_time and stop_time <= start_time:
+            msg = "{0.id} 'stop_time' must be later than 'start_time'"
+            raise ValueError(msg.format(self))
diff --git a/stixorm/module/initialise.py b/stixorm/module/initialise.py
@@ -24,6 +24,7 @@
 import logging
 
 logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
 
 attack_raw = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/index.json"
 

diff --git a/stixorm/module/orm/import_objects.py b/stixorm/module/orm/import_objects.py
@@ -11,7 +11,7 @@
 
 from stixorm.module.typedb_lib.factories.auth_factory import get_auth_factory_instance
 logger = logging.getLogger(__name__)
-
+logger.setLevel(logging.INFO)
 
 
 marking =["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",

diff --git a/stixorm/module/orm/import_utilities.py b/stixorm/module/orm/import_utilities.py
@@ -12,7 +12,7 @@
 
 stix_models = get_definition_factory_instance().lookup_definition(DefinitionName.STIX_21)
 logger = logging.getLogger(__name__)
-
+logger.setLevel(logging.DEBUG)
 
 # ---------------------------------------------------
 # 1.5) Sub Object Methods for adding common standard properties

diff --git a/stixorm/module/parsing/conversion_decisions.py b/stixorm/module/parsing/conversion_decisions.py
@@ -12,6 +12,7 @@
 
 logger = logging.getLogger(__name__)
 default_import_type = import_type_factory.get_default_import()
+logger.setLevel(logging.INFO)
 
 
 attack_model = get_definition_factory_instance().lookup_definition(DefinitionName.ATTACK)

diff --git a/stixorm/module/parsing/parse_objects.py b/stixorm/module/parsing/parse_objects.py
@@ -12,6 +12,7 @@
 
 logger = logging.getLogger(__name__)
 default_import_type = import_type_factory.get_default_import()
+logger.setLevel(logging.DEBUG)
 
 
 def parse(data: dict, allow_custom=False, import_type: ImportType=default_import_type):

diff --git a/stixorm/module/typedb.py b/stixorm/module/typedb.py
@@ -31,6 +31,11 @@
 # logging.basicConfig(level=logging.INFO, format='[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] %(message)s')
 
 logger = logging.getLogger(__name__)
+logging.basicConfig(filename="typedb_log.txt",
+                    filemode='a',
+                    format='%(asctime)s,%(msecs)d %(name)s %(levelname)s %(message)s',
+                    datefmt='%H:%M:%S',
+                    level=logging.DEBUG)
 
 
 @dataclass
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,6 +8,7 @@
		from stixorm.module.typedb_lib.factories.process_map_factory import ProcessMapFactory

		logger = logging.getLogger(__name__)
		logger.setLevel(logging.INFO)



Expand Down