From 1b6395f7687ecbc4812261455e8fb7fc9a99fcde Mon Sep 17 00:00:00 2001 From: BrettForbes Date: Wed, 23 Aug 2023 18:57:13 +1000 Subject: [PATCH 1/2] Finalising the Incident Class Loading --- stixorm/module/authorise.py | 1 + .../module/definitions/os_threat/classes.py | 17 +++--- .../definitions/os_threat/data/evidence.json | 3 +- .../definitions/os_threat/data/task.json | 2 +- .../os_threat/schema/cti-os-threat.tql | 4 +- ...f5e7798e0030.json => event-extension.json} | 0 ...279ea910e.json => evidence-extension.json} | 0 ...22d351d71b9.json => impact-extension.json} | 0 ...94-99799f2fa126.json => incident-ext.json} | 0 ...e-change-object.json => state-change.json} | 0 ...-339561d9d78a.json => task-extension.json} | 0 stixorm/module/definitions/stix21/__init__.py | 4 +- stixorm/module/definitions/stix21/classes.py | 61 ++++++++++++++++++- stixorm/module/initialise.py | 1 + stixorm/module/orm/import_objects.py | 2 +- stixorm/module/orm/import_utilities.py | 2 +- .../module/parsing/conversion_decisions.py | 1 + stixorm/module/parsing/parse_objects.py | 1 + stixorm/module/typedb.py | 5 ++ .../os-threat/incident/human_trigger.json | 45 +++++++------- test/data/os-threat/test/incident.json | 24 ++++++++ try_refactor.py | 14 +++-- 22 files changed, 141 insertions(+), 46 deletions(-) rename stixorm/module/definitions/os_threat/sub_objects/{extension-definition--2074a052-8be4-4932-849e-f5e7798e0030.json => event-extension.json} (100%) rename stixorm/module/definitions/os_threat/sub_objects/{extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json => evidence-extension.json} (100%) rename stixorm/module/definitions/os_threat/sub_objects/{extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9.json => impact-extension.json} (100%) rename stixorm/module/definitions/os_threat/sub_objects/{extension-definition--ef765651-680c-498d-9894-99799f2fa126.json => incident-ext.json} (100%) rename stixorm/module/definitions/os_threat/sub_objects/{state-change-object.json => state-change.json} (100%) rename stixorm/module/definitions/os_threat/sub_objects/{extension-definition--7ff5b5a5-a342-417e-9c0d-339561d9d78a.json => task-extension.json} (100%) create mode 100644 test/data/os-threat/test/incident.json diff --git a/stixorm/module/authorise.py b/stixorm/module/authorise.py index 4697e77..04970eb 100644 --- a/stixorm/module/authorise.py +++ b/stixorm/module/authorise.py @@ -8,6 +8,7 @@ from stixorm.module.typedb_lib.factories.process_map_factory import ProcessMapFactory logger = logging.getLogger(__name__) +logger.setLevel(logging.INFO) diff --git a/stixorm/module/definitions/os_threat/classes.py b/stixorm/module/definitions/os_threat/classes.py index 7f1d30a..8a2f598 100644 --- a/stixorm/module/definitions/os_threat/classes.py +++ b/stixorm/module/definitions/os_threat/classes.py @@ -348,20 +348,20 @@ class IncidentCoreExt(_Extension): _type = 'extension-definition--ef765651-680c-498d-9894-99799f2fa126' _properties = OrderedDict([ - ('determination', StringProperty()), ('extension_type', StringProperty(fixed='property-extension')), ('investigation_status', StringProperty()), - ('criticality', IntegerProperty(min=0)), ('blocked', BooleanProperty()), ('malicious', BooleanProperty()), + ('criticality', IntegerProperty(min=0)), + ('determination', StringProperty()), + ('incident_types', ListProperty(StringProperty)), ('impacted_entity_counts', EmbeddedObjectProperty(type=EntityCountObject)), ('recoverability', ListProperty(StringProperty)), - ('scores', EmbeddedObjectProperty(type=IncidentScoreObject)), - ('incident_types', ListProperty(StringProperty)), + ('scores', ListProperty(EmbeddedObjectProperty(type=IncidentScoreObject))), ('task_refs', ListProperty(ThreatReference(valid_types='task'))), ('event_refs', ListProperty(ThreatReference(valid_types='event'))), ('impact_refs', ListProperty(ThreatReference(valid_types='impact'))), - ('notes_refs', ListProperty(ThreatReference(valid_types='notes'))), + ('notes_refs', ListProperty(ThreatReference(valid_types='note'))), ('evidence_refs', ListProperty(ThreatReference(valid_types='evidence'))), ]) @@ -393,7 +393,7 @@ class Task(_DomainObject): ('created', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')), ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')), ('changed_objects', ListProperty(EmbeddedObjectProperty(type=StateChangeObject))), - ('task_type', StringProperty()), + ('task_types', ListProperty(StringProperty)), ('step_type', StringProperty()), ('outcome', StringProperty()), ('description', StringProperty()), @@ -416,7 +416,7 @@ class Task(_DomainObject): ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))), ('granular_markings', ListProperty(GranularMarking)), - ('extensions', ExtensionsProperty(spec_version='2.1')), + ('extensions', ThreatExtensionsProperty(spec_version='2.1')), ]) @@ -452,12 +452,13 @@ class Evidence(_DomainObject): ('evidence_type', StringProperty()), ('source', StringProperty()), ('object_refs', ListProperty(ThreatReference(valid_types=valid_obj, spec_version='2.1'))), + ('evidence_refs', ListProperty(ThreatReference(valid_types=valid_obj, spec_version='2.1'))), ('labels', ListProperty(StringProperty)), ('confidence', IntegerProperty()), ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))), ('granular_markings', ListProperty(GranularMarking)), - ('extensions', ExtensionsProperty(spec_version='2.1')), + ('extensions', ThreatExtensionsProperty(spec_version='2.1')), ]) diff --git a/stixorm/module/definitions/os_threat/data/evidence.json b/stixorm/module/definitions/os_threat/data/evidence.json index 1c17739..942c2d4 100644 --- a/stixorm/module/definitions/os_threat/data/evidence.json +++ b/stixorm/module/definitions/os_threat/data/evidence.json @@ -3,5 +3,6 @@ "description": "description", "evidence_type": "evidence-type", "source": "source", - "object_refs": "" + "object_refs": "", + "evidence_refs": "" } \ No newline at end of file diff --git a/stixorm/module/definitions/os_threat/data/task.json b/stixorm/module/definitions/os_threat/data/task.json index 42e5143..be10d10 100644 --- a/stixorm/module/definitions/os_threat/data/task.json +++ b/stixorm/module/definitions/os_threat/data/task.json @@ -1,6 +1,6 @@ { "changed_objects": "", - "task_type": "task-type", + "task_types": "task-types", "step_type": "step-type", "outcome": "outcome", "description": "description", diff --git a/stixorm/module/definitions/os_threat/schema/cti-os-threat.tql b/stixorm/module/definitions/os_threat/schema/cti-os-threat.tql index 780710e..d219d79 100644 --- a/stixorm/module/definitions/os_threat/schema/cti-os-threat.tql +++ b/stixorm/module/definitions/os_threat/schema/cti-os-threat.tql @@ -89,7 +89,7 @@ define task sub stix-domain-object, abstract, owns step-type, owns outcome, - owns task-type, + owns task-types, owns description, owns name, owns end-time, @@ -557,7 +557,7 @@ define evidence-type sub stix-attribute-string; source sub stix-attribute-string; outcome sub stix-attribute-string; - task-type sub stix-attribute-string; + task-types sub stix-attribute-string; step-type sub stix-attribute-string; error sub stix-attribute-string; determination sub stix-attribute-string; diff --git a/stixorm/module/definitions/os_threat/sub_objects/extension-definition--2074a052-8be4-4932-849e-f5e7798e0030.json b/stixorm/module/definitions/os_threat/sub_objects/event-extension.json similarity index 100% rename from stixorm/module/definitions/os_threat/sub_objects/extension-definition--2074a052-8be4-4932-849e-f5e7798e0030.json rename to stixorm/module/definitions/os_threat/sub_objects/event-extension.json diff --git a/stixorm/module/definitions/os_threat/sub_objects/extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json b/stixorm/module/definitions/os_threat/sub_objects/evidence-extension.json similarity index 100% rename from stixorm/module/definitions/os_threat/sub_objects/extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e.json rename to stixorm/module/definitions/os_threat/sub_objects/evidence-extension.json diff --git a/stixorm/module/definitions/os_threat/sub_objects/extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9.json b/stixorm/module/definitions/os_threat/sub_objects/impact-extension.json similarity index 100% rename from stixorm/module/definitions/os_threat/sub_objects/extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9.json rename to stixorm/module/definitions/os_threat/sub_objects/impact-extension.json diff --git a/stixorm/module/definitions/os_threat/sub_objects/extension-definition--ef765651-680c-498d-9894-99799f2fa126.json b/stixorm/module/definitions/os_threat/sub_objects/incident-ext.json similarity index 100% rename from stixorm/module/definitions/os_threat/sub_objects/extension-definition--ef765651-680c-498d-9894-99799f2fa126.json rename to stixorm/module/definitions/os_threat/sub_objects/incident-ext.json diff --git a/stixorm/module/definitions/os_threat/sub_objects/state-change-object.json b/stixorm/module/definitions/os_threat/sub_objects/state-change.json similarity index 100% rename from stixorm/module/definitions/os_threat/sub_objects/state-change-object.json rename to stixorm/module/definitions/os_threat/sub_objects/state-change.json diff --git a/stixorm/module/definitions/os_threat/sub_objects/extension-definition--7ff5b5a5-a342-417e-9c0d-339561d9d78a.json b/stixorm/module/definitions/os_threat/sub_objects/task-extension.json similarity index 100% rename from stixorm/module/definitions/os_threat/sub_objects/extension-definition--7ff5b5a5-a342-417e-9c0d-339561d9d78a.json rename to stixorm/module/definitions/os_threat/sub_objects/task-extension.json diff --git a/stixorm/module/definitions/stix21/__init__.py b/stixorm/module/definitions/stix21/__init__.py index 82e41e6..a8a0e07 100644 --- a/stixorm/module/definitions/stix21/__init__.py +++ b/stixorm/module/definitions/stix21/__init__.py @@ -21,7 +21,7 @@ import os from pathlib import Path from stixorm.module.definitions.stix21.classes import ( - Note, ObservedData, Incident, Report + Note, ObservedData, Incident, Report, Relationship ) from stix2.v21.sdo import ( AttackPattern, Campaign, CourseOfAction, CustomObject, Grouping, Identity, @@ -39,7 +39,7 @@ WindowsProcessExt, WindowsRegistryKey, WindowsRegistryValueType, WindowsServiceExt, X509Certificate, X509V3ExtensionsType, ) -from stix2.v21.sro import Relationship, Sighting +from stix2.v21.sro import Sighting from stix2.v21.common import MarkingDefinition name = "stix21" diff --git a/stixorm/module/definitions/stix21/classes.py b/stixorm/module/definitions/stix21/classes.py index 9803160..561bb34 100644 --- a/stixorm/module/definitions/stix21/classes.py +++ b/stixorm/module/definitions/stix21/classes.py @@ -144,7 +144,10 @@ class Incident(_DomainObject): ('extensions', ThreatExtensionsProperty(spec_version='2.1')), ]) + valid_obj = get_mapping_factory_instance().get_all_types() + + class Report(_DomainObject): """For more detailed information on this object's properties, see `the STIX 2.1 specification `__. @@ -171,4 +174,60 @@ class Report(_DomainObject): ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))), ('granular_markings', ListProperty(GranularMarking)), ('extensions', ExtensionsProperty(spec_version='2.1')), - ]) \ No newline at end of file + ]) + +class Relationship(_RelationshipObject): + """For more detailed information on this object's properties, see + `the STIX 2.1 specification `__. + """ + + _invalid_source_target_types = ['bundle', 'language-content', 'marking-definition', 'relationship', 'sighting'] + + _type = 'relationship' + _properties = OrderedDict([ + ('type', TypeProperty(_type, spec_version='2.1')), + ('spec_version', StringProperty(fixed='2.1')), + ('id', IDProperty(_type, spec_version='2.1')), + ('created_by_ref', ReferenceProperty(valid_types='identity', spec_version='2.1')), + ('created', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')), + ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond', precision_constraint='min')), + ('relationship_type', StringProperty(required=True)), + ('description', StringProperty()), + ('source_ref', ThreatReference(valid_types=valid_obj, spec_version='2.1', required=True)), + ('target_ref', ThreatReference(valid_types=valid_obj, spec_version='2.1', required=True)), + ('start_time', TimestampProperty()), + ('stop_time', TimestampProperty()), + ('revoked', BooleanProperty(default=lambda: False)), + ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), + ('external_references', ListProperty(ExternalReference)), + ('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))), + ('granular_markings', ListProperty(GranularMarking)), + ('extensions', ExtensionsProperty(spec_version='2.1')), + ]) + + # Explicitly define the first three kwargs to make readable Relationship declarations. + # def __init__( + # self, source_ref=None, relationship_type=None, + # target_ref=None, **kwargs + # ): + # # Allow (source_ref, relationship_type, target_ref) as positional args. + # if source_ref and not kwargs.get('source_ref'): + # kwargs['source_ref'] = source_ref + # if relationship_type and not kwargs.get('relationship_type'): + # kwargs['relationship_type'] = relationship_type + # if target_ref and not kwargs.get('target_ref'): + # kwargs['target_ref'] = target_ref + # + # super(Relationship, self).__init__(**kwargs) + + def _check_object_constraints(self): + super(self.__class__, self)._check_object_constraints() + + start_time = self.get('start_time') + stop_time = self.get('stop_time') + + if start_time and stop_time and stop_time <= start_time: + msg = "{0.id} 'stop_time' must be later than 'start_time'" + raise ValueError(msg.format(self)) \ No newline at end of file diff --git a/stixorm/module/initialise.py b/stixorm/module/initialise.py index 7ba6e91..7418db7 100644 --- a/stixorm/module/initialise.py +++ b/stixorm/module/initialise.py @@ -24,6 +24,7 @@ import logging logger = logging.getLogger(__name__) +logger.setLevel(logging.INFO) attack_raw = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/index.json" diff --git a/stixorm/module/orm/import_objects.py b/stixorm/module/orm/import_objects.py index 15902d4..598f78e 100644 --- a/stixorm/module/orm/import_objects.py +++ b/stixorm/module/orm/import_objects.py @@ -11,7 +11,7 @@ from stixorm.module.typedb_lib.factories.auth_factory import get_auth_factory_instance logger = logging.getLogger(__name__) - +logger.setLevel(logging.INFO) marking =["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", diff --git a/stixorm/module/orm/import_utilities.py b/stixorm/module/orm/import_utilities.py index c360473..6148d39 100644 --- a/stixorm/module/orm/import_utilities.py +++ b/stixorm/module/orm/import_utilities.py @@ -12,7 +12,7 @@ stix_models = get_definition_factory_instance().lookup_definition(DefinitionName.STIX_21) logger = logging.getLogger(__name__) - +logger.setLevel(logging.DEBUG) # --------------------------------------------------- # 1.5) Sub Object Methods for adding common standard properties diff --git a/stixorm/module/parsing/conversion_decisions.py b/stixorm/module/parsing/conversion_decisions.py index 0771f3e..03f2770 100644 --- a/stixorm/module/parsing/conversion_decisions.py +++ b/stixorm/module/parsing/conversion_decisions.py @@ -12,6 +12,7 @@ logger = logging.getLogger(__name__) default_import_type = import_type_factory.get_default_import() +logger.setLevel(logging.INFO) attack_model = get_definition_factory_instance().lookup_definition(DefinitionName.ATTACK) diff --git a/stixorm/module/parsing/parse_objects.py b/stixorm/module/parsing/parse_objects.py index 3f1187b..fe2fc1c 100644 --- a/stixorm/module/parsing/parse_objects.py +++ b/stixorm/module/parsing/parse_objects.py @@ -12,6 +12,7 @@ logger = logging.getLogger(__name__) default_import_type = import_type_factory.get_default_import() +logger.setLevel(logging.DEBUG) def parse(data: dict, allow_custom=False, import_type: ImportType=default_import_type): diff --git a/stixorm/module/typedb.py b/stixorm/module/typedb.py index f1eaac7..546c227 100644 --- a/stixorm/module/typedb.py +++ b/stixorm/module/typedb.py @@ -31,6 +31,11 @@ # logging.basicConfig(level=logging.INFO, format='[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] %(message)s') logger = logging.getLogger(__name__) +logging.basicConfig(filename="typedb_log.txt", + filemode='a', + format='%(asctime)s,%(msecs)d %(name)s %(levelname)s %(message)s', + datefmt='%H:%M:%S', + level=logging.DEBUG) @dataclass diff --git a/test/data/os-threat/incident/human_trigger.json b/test/data/os-threat/incident/human_trigger.json index a045476..044395e 100644 --- a/test/data/os-threat/incident/human_trigger.json +++ b/test/data/os-threat/incident/human_trigger.json @@ -10,7 +10,6 @@ "created_by_ref": "identity--2242662b-d581-4864-8696-fff719dc0500", "spec_version": "2.1", "name": "An example incident with human triggered suspicious email", - "criticality": 80, "description": "A user has reported a suspicious phishing email, possibly a company wide campaign", "extensions": { "extension-definition--ef765651-680c-498d-9894-99799f2fa126": { @@ -18,19 +17,18 @@ "investigation_status": "new", "blocked": false, "malicious": true, + "criticality": 80, "determination": "suspected", "incident_types": [ "hosting-phishing-sites", "theft-access-credentials", "known-malware" ], - "impacted_entity_counts": [ - { + "impacted_entity_counts": { "individual": 10, "organization": 1, "system": 5 - } - ], + }, "scores": [ { "name": "SOC scoring", @@ -64,7 +62,7 @@ { "type": "identity", "spec_version": "2.1", - "id": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "id": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "created": "2016-04-06T20:03:00.000Z", "modified": "2016-04-06T20:03:00.000Z", "name": "SOC Operator", @@ -207,6 +205,7 @@ { "type": "task", "id": "task--1ffe4af4-3b18-4ee2-8279-0d1264efd0fe", + "name": "Start Task", "created": "2020-10-19T01:01:01.000Z", "modified": "2020-10-19T01:01:01.000Z", "spec_version": "2.1", @@ -227,7 +226,7 @@ "name": "Recover email", "priority": 10, "external_references": [], - "owner": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "owner": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "task_types": [ "discovery" ], @@ -273,7 +272,7 @@ "step_type": "single_step", "priority": 10, "external_references": [], - "owner": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "owner": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "task_types": [ "discovery" ], @@ -484,7 +483,7 @@ "step_type": "parallel_task", "priority": 8, "external_references": [], - "owner": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "owner": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "task_types": [ "external-intelligence", "attribution" @@ -514,14 +513,13 @@ "step_type": "end_step", "priority": 8, "external_references": [], - "owner": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "owner": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "task_types": [ "reported" ], "outcome": "successful", "start_time": "2020-10-15T01:01:01.000Z", "end_time": "2020-10-15T01:01:01.000Z", - "on_success": "", "extensions": { "extension-definition--2074a052-8be4-4932-849e-f5e7798e0030": { "extension_type": "new-sdo" @@ -538,7 +536,7 @@ "step_type": "single_step", "priority": 8, "external_references": [], - "owner": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "owner": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "task_types": [ "external-intelligence" ], @@ -588,7 +586,7 @@ "step_type": "single_step", "priority": 8, "external_references": [], - "owner": "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "owner": "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "task_types": [ "external-intelligence" ], @@ -647,7 +645,7 @@ }, { "type": "evidence", - "id": "evidence--2d2541111-fbf8-4969-addd-80ac5c293f57", + "id": "evidence--69e50c4c-0a74-4098-8b76-bb9635b678fc", "created": "2020-10-19T01:01:01.000Z", "modified": "2020-10-19T01:01:01.000Z", "spec_version": "2.1", @@ -685,7 +683,7 @@ }, { "type": "evidence", - "id": "evidence--2d2542222-fbf8-4969-addd-80ac5c293f57", + "id": "evidence--16b72259-77c7-48e5-ae8b-6a7a221754ce", "created": "2020-10-19T01:01:01.000Z", "modified": "2020-10-19T01:01:01.000Z", "spec_version": "2.1", @@ -704,7 +702,7 @@ }, { "type": "evidence", - "id": "evidence--2d2541111-fbf8-4969-addd-80ac5c293f57", + "id": "evidence--69e50c4c-0a74-4098-8b76-bb9635b678fc", "created": "2020-10-19T01:01:01.000Z", "modified": "2020-10-19T01:01:01.000Z", "spec_version": "2.1", @@ -760,7 +758,7 @@ }, { "type": "evidence", - "id": "evidence--2d2543333-fbf8-4969-addd-80ac5c293f57", + "id": "evidence--fbda3c71-676b-46a4-9c46-ab76ea6e056b", "created": "2020-10-19T01:01:01.000Z", "modified": "2020-10-19T01:01:01.000Z", "spec_version": "2.1", @@ -768,7 +766,7 @@ "name": "YARA signatures on suspicious binaries", "description": "Hunt: The data collected from internal systems during a hunt for additional context", "source": "YARA", - "sources_refs": [ + "evidence_refs": [ "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f" ], "object_refs": [ @@ -797,6 +795,7 @@ } ], "pattern_type": "yara", + "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]", "valid_from": "2014-06-29T13:49:37.079Z" }, { @@ -1056,7 +1055,7 @@ ], "object_refs": [ "incident--1a074418-9248-4a21-9918-a79d0f1dbc5b", - "identity--023d105b-752e-4cc c-941c-7d3f3cb15e9e", + "identity--f069ebc5-563f-4709-bea1-2f1b4cf321d2", "event--84ede1e8-aa78-4c63-98cd-02f4387fc1ec", "file--e277603e-1060-5ad4-9937-c26c97f1ca68", "email-message--0c57a381-2a17-5e61-8754-5ef96efb286c", @@ -1088,15 +1087,15 @@ "ipv4-addr--ff26c055-6006-5bc5-b98d-13d6226742dd", "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd", "ipv4-addr--ff26c055-6666-5bc5-b98d-13d6226742dd", - "evidence--2d2541111-fbf8-4969-addd-80ac5c293f57", + "evidence--69e50c4c-0a74-4098-8b76-bb9635b678fc", "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5", "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74", - "evidence--2d2542222-fbf8-4969-addd-80ac5c293f57", - "evidence--2d2541111-fbf8-4969-addd-80ac5c293f57", + "evidence--16b72259-77c7-48e5-ae8b-6a7a221754ce", + "evidence--69e50c4c-0a74-4098-8b76-bb9635b678fc", "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727", "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", "relationship--7aebe2f0-28d6-48a2-9c3e-b0aaa60266ed", - "evidence--2d2543333-fbf8-4969-addd-80ac5c293f57", + "evidence--fbda3c71-676b-46a4-9c46-ab76ea6e056b", "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f", "evidence--2d254444-fbf8-4969-addd-80ac5c293f57", "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82", diff --git a/test/data/os-threat/test/incident.json b/test/data/os-threat/test/incident.json new file mode 100644 index 0000000..a8f0994 --- /dev/null +++ b/test/data/os-threat/test/incident.json @@ -0,0 +1,24 @@ +[ + { + "type": "impact", + "id": "impact--1032f48b-28d1-451f-970e-78b736db8e13", + "created": "2022-05-06T01:01:01.002Z", + "modified": "2022-05-06T01:01:01.002Z", + "spec_version": "2.1", + "description": "A list of users from our organization were succesfully compromised", + "recoverability": "supplemented", + "impacted_refs": [ + "identity--023d105b-752e-4e3c-941c-7d3f3cb15e9e", + "identity--023d105b-752e-4e3c-941c-7d3f3cb15e99" + ], + "impact_category": "confidentiality", + "extensions": { + "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": { + "extension_type": "new-sdo" + }, + "information_type": "credentials-user", + "loss-type": "confirmed-loss", + "record_count": 10 + } + } +] \ No newline at end of file diff --git a/try_refactor.py b/try_refactor.py index 9fbe67f..9cafb6e 100644 --- a/try_refactor.py +++ b/try_refactor.py @@ -160,7 +160,7 @@ def backdoor_add_dir(dirpath): else: with open(os.path.join(dirpath, s_file), mode="r", encoding="utf-8") as f: json_text = json.load(f) - json_text = json_text["objects"] + #json_text = json_text["objects"] for element in json_text: #logger.debug(f'**********==={element}') obj_list.append(element) @@ -205,7 +205,7 @@ def backdoor_add_dir(dirpath): id_diff = id_set - id_typedb print(f'\n\n\n===========================\nduplist -> {duplist}') print(f'\n\n\n===========================\ninput len -> {len_files}, typedn len ->{len_typedb}') - print(f'difference -> {id_diff}') + #print(f'difference -> {id_diff}') def backdoor_add(pahhway): @@ -628,7 +628,7 @@ def check_dir(dirpath): json_text = json.load(f) json_list = json_text["objects"] for element in json_list: - print(f'element is {element}') + #print(f'element is {element}') temp_id = element.get('id', False) if temp_id: id_list.append(temp_id) @@ -642,7 +642,7 @@ def check_dir(dirpath): len_typedb = len(id_typedb) id_diff = id_set - id_typedb print(f'\n\n\n===========================\ninput len -> {len_files}, typedn len ->{len_typedb}') - print(f'difference -> {id_diff}') + #print(f'difference -> {id_diff}') def cert_dict(cert_root, certs): @@ -1582,6 +1582,8 @@ def meta_icon(stix_object): osthreat = "data/os-threat/" reports = "data/threat_reports/" poison = "poisonivy.json" + incident = "test/data/os-threat/incident" + incident_test = "test/data/os-threat/test" threattest = "history/" id_list = ['file--94ca-5967-8b3c-a906a51d87ac', 'file--5a27d487-c542-5f97-a131-a8866b477b46', 'email-message--72b7698f-10c2-565a-a2a6-b4996a2f2265', 'email-message--cf9b4b7f-14c8-5955-8065-020e0316b559', 'intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6', 'attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5', 'autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74'] @@ -1603,7 +1605,7 @@ def meta_icon(stix_object): #query_id(stid1) #check_dir_ids2(osthreat) #check_dir_ids(path1) - check_dir(mitre) + #check_dir(incident) #test_delete(data_path+file1) #test_get(stid1) #test_get_delete(path2 + "attack_objects.json") @@ -1619,7 +1621,7 @@ def meta_icon(stix_object): #test_generate_docs() #backdoor_add(mitre + "attack_collection.json") #backdoor_add_dir(osthreat + threattest) - #backdoor_add_dir(mitre) + backdoor_add_dir(incident_test) #test_get_file(data_path + file1) #test_insert_statements(mitre + "attack_objects.json", stid1) #test_insert_statements(path1 + f29, stid2) From f6de2cab57d135ef29c6c3179a22e588015dfd05 Mon Sep 17 00:00:00 2001 From: BrettForbes Date: Wed, 23 Aug 2023 19:06:41 +1000 Subject: [PATCH 2/2] Finalising the Incident Class Loading --- test/data/os-threat/incident/human_trigger.json | 8 +++++--- try_refactor.py | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/test/data/os-threat/incident/human_trigger.json b/test/data/os-threat/incident/human_trigger.json index 044395e..8486363 100644 --- a/test/data/os-threat/incident/human_trigger.json +++ b/test/data/os-threat/incident/human_trigger.json @@ -1037,9 +1037,11 @@ "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": { "extension_type": "new-sdo" }, - "information_type": "credentials-user", - "loss-type": "confirmed-loss", - "record_count": 10 + "confidentiality" : { + "information_type": "credentials-user", + "loss_type": "confirmed-loss", + "record_count": 10 + } } }, { diff --git a/try_refactor.py b/try_refactor.py index 9cafb6e..daaa546 100644 --- a/try_refactor.py +++ b/try_refactor.py @@ -160,7 +160,7 @@ def backdoor_add_dir(dirpath): else: with open(os.path.join(dirpath, s_file), mode="r", encoding="utf-8") as f: json_text = json.load(f) - #json_text = json_text["objects"] + json_text = json_text["objects"] for element in json_text: #logger.debug(f'**********==={element}') obj_list.append(element) @@ -1621,7 +1621,7 @@ def meta_icon(stix_object): #test_generate_docs() #backdoor_add(mitre + "attack_collection.json") #backdoor_add_dir(osthreat + threattest) - backdoor_add_dir(incident_test) + backdoor_add_dir(incident) #test_get_file(data_path + file1) #test_insert_statements(mitre + "attack_objects.json", stid1) #test_insert_statements(path1 + f29, stid2)