forked from OpenCTI-Platform/client-python
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopencti_stix2_utils.py
91 lines (83 loc) · 2.82 KB
/
opencti_stix2_utils.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
from stix2 import EqualityComparisonExpression, ObjectPath, ObservationExpression
STIX_CYBER_OBSERVABLE_MAPPING = {
"autonomous-system": "Autonomous-System",
"directory": "Directory",
"domain-name": "Domain-Name",
"email-addr": "Email-Addr",
"file": "StixFile",
"email-message": "Email-Message",
"ipv4-addr": "IPv4-Addr",
"ipv6-addr": "IPv6-Addr",
"mac-addr": "Mac-Addr",
"mutex": "Mutex",
"network-traffic": "Network-Traffic",
"process": "Process",
"software": "Software",
"url": "Url",
"user-account": "User-Account",
"windows-registry-key": "Windows-Registry-Key",
"windows-registry-value-type": "Windows-Registry-Value-Type",
"hostname": "Hostname",
}
PATTERN_MAPPING = {
"Autonomous-System": ["number"],
"Directory": ["path"],
"Domain-Name": ["value"],
"Email-Addr": ["value"],
"File_md5": ["hashes", "MD5"],
"File_sha1": ["hashes", "SHA-1"],
"File_sha256": ["hashes", "SHA-256"],
"File_sha512": ["hashes", "SHA-512"],
"Email-Message_Body": ["body"],
"Email-Message_Subject": ["subject"],
"Email-Mime-Part-Type": ["body"],
"IPv4-Addr": ["value"],
"IPv6-Addr": ["value"],
"Mac-Addr": ["value"],
"Mutex": ["name"],
"Network-Traffic": ["dst_port"],
"Process": ["pid"],
"Software": ["name"],
"Url": ["value"],
"User-Account": ["acount_login"],
"Windows-Registry-Key": ["key"],
"Windows-Registry-Value-Type": ["name"],
"Hostname": ["value"],
}
OBSERVABLES_VALUE_INT = [
"Autonomous-System.number",
"Network-Traffic.dst_port",
"Process.pid",
]
class OpenCTIStix2Utils:
@staticmethod
def stix_observable_opencti_type(observable_type):
if observable_type in STIX_CYBER_OBSERVABLE_MAPPING:
return STIX_CYBER_OBSERVABLE_MAPPING[observable_type]
else:
return "Unknown"
@staticmethod
def create_stix_pattern(observable_type, observable_value):
if observable_type in PATTERN_MAPPING:
lhs = ObjectPath(
observable_type.lower()
if "_" not in observable_type
else observable_type.split("_")[0].lower(),
PATTERN_MAPPING[observable_type],
)
ece = ObservationExpression(
EqualityComparisonExpression(lhs, observable_value)
)
return str(ece)
else:
return None
"""Generate random stix id (uuid v1)
This id will stored and resolved by openCTI
We will stored only 5 stix of this type to prevent database flooding
:param stix_type: the stix type
"""
@staticmethod
def generate_random_stix_id(stix_type):
raise ValueError(
"This function should not be used anymore, please use the generate_id function for SDO or proper SCO constructor"
)