update stix generator for OpenCTI compatability

2022-07-03 19:09:05 -04:00 · 2022-07-03 19:09:05 -04:00 · fd84d4c13d
--- a/CODE/DISARM-STIX2/main.py
+++ b/CODE/DISARM-STIX2/main.py
@ -11,7 +11,7 @@ from stix2 import (Bundle, AttackPattern, ThreatActor, IntrusionSet, Relationshi
 from stix2.properties import (ReferenceProperty, ListProperty, StringProperty, TimestampProperty, BooleanProperty, IntegerProperty)

 import helpers
-from objects import tactic, technique, matrix, bundle, relationship
+from objects import tactic, technique, matrix, bundle, relationship, identity, marking_definition
 from helpers import xlsx, file


@ -23,21 +23,25 @@ def generate_disarm_stix():
    """
    data = helpers.xlsx.load_excel_data("../DISARM_MASTER_DATA/DISARM_FRAMEWORKS_MASTER.xlsx")

-    tactics = tactic.make_disarm_tactics(data)
-    techniques = technique.make_disarm_techniques(data)
-    subtechnique_relationships = relationship.make_disarm_subtechnique_relationships(techniques)
+    disarm_identity = identity.make_disarm_identity()
+    identity_id = disarm_identity[0]["id"]
+    disarm_marking_definition = marking_definition.make_disarm_marking_definition(identity_id)
+    marking_id = disarm_marking_definition[0]["id"]
+
+    tactics = tactic.make_disarm_tactics(data, identity_id, marking_id)
+    techniques = technique.make_disarm_techniques(data, identity_id, marking_id)
+    subtechnique_relationships = relationship.make_disarm_subtechnique_relationships(techniques, marking_id)
    navigator_matrix = matrix.make_disarm_matrix(tactics)

    stix_objects = []
    stix_objects.append(tactics)
    stix_objects.append(techniques)
    stix_objects.append(subtechnique_relationships)
+    stix_objects.append(disarm_identity)
+    stix_objects.append(disarm_marking_definition)
    stix_objects.append(navigator_matrix)
-
    stix_objects = [item for sublist in stix_objects for item in sublist]
-
    disarm_bundle = bundle.make_stix_bundle(stix_objects)
-
    helpers.file.clean_output_dir()
    helpers.file.write_files(stix_objects)
    helpers.file.write_bundle(disarm_bundle, "DISARM")
--- a/CODE/DISARM-STIX2/objects/identity.py
+++ b/CODE/DISARM-STIX2/objects/identity.py
@ -13,4 +13,4 @@ def make_disarm_identity():
        identity_class="organization",
        description="DISARM is a framework designed for describing and understanding disinformation incidents.",
    )
-    return identity
+    return [identity]
--- a/CODE/DISARM-STIX2/objects/marking_definition.py
+++ b/CODE/DISARM-STIX2/objects/marking_definition.py
@ -2,10 +2,11 @@ from stix2 import MarkingDefinition, StatementMarking
 from objects import identity


-def make_disarm_marking_definition():
+def make_disarm_marking_definition(identity_id):
    marking_definition = MarkingDefinition(
        definition_type="statement",
-        created_by_ref=identity.make_disarm_identity(),
+        created_by_ref=identity_id,
+        name="DISARM Foundation",
        definition=StatementMarking(statement="CC-BY-SA-4.0 DISARM Foundation")
    )
-    return marking_definition
+    return [marking_definition]
--- a/CODE/DISARM-STIX2/objects/relationship.py
+++ b/CODE/DISARM-STIX2/objects/relationship.py
@ -1,7 +1,7 @@
 from stix2 import Relationship, properties, ExternalReference


-def make_disarm_subtechnique_relationship(source, target):
+def make_disarm_subtechnique_relationship(source, target, marking_id):
    """Creates a relationship between the parent technique and sub-technique.

    Args:
@ -15,13 +15,15 @@ def make_disarm_subtechnique_relationship(source, target):
    relationship = Relationship(
        source_ref=source,
        target_ref=target,
-        relationship_type="subtechnique-of"
+        description="",
+        relationship_type="subtechnique-of",
+        object_marking_refs=marking_id
    )

    return relationship


-def make_disarm_subtechnique_relationships(techniques):
+def make_disarm_subtechnique_relationships(techniques, marking_id):
    """Creates a map of technique and sub-technique.

    Args:
@ -39,7 +41,7 @@ def make_disarm_subtechnique_relationships(techniques):
    for technique in techniques:
        if technique["x_mitre_is_subtechnique"]:
            technique_id = technique_ids[technique["external_references"][0]["external_id"].split(".")[0]]
-            relationship = make_disarm_subtechnique_relationship(technique["id"], technique_id)
+            relationship = make_disarm_subtechnique_relationship(technique["id"], technique_id, marking_id)
            relationships.append(relationship)

    return relationships
--- a/CODE/DISARM-STIX2/objects/tactic.py
+++ b/CODE/DISARM-STIX2/objects/tactic.py
@ -21,7 +21,7 @@ class Tactic(object):
            raise ValueError("'%s' is not a recognized DISARM Tactic." % x_mitre_shortname)


-def make_disarm_tactics(data):
+def make_disarm_tactics(data, identity_id, marking_id):
    """Create all DISARM tactic objects.

    Args:
@ -46,10 +46,11 @@ def make_disarm_tactics(data):
            description=f"{t[5]}",
            x_mitre_shortname=f'{t[1].lower().replace(" ", "-")}',
            external_references=external_references,
-            object_marking_refs=objects.marking_definition.make_disarm_marking_definition(),
-            created_by_ref=objects.identity.make_disarm_identity()
+            object_marking_refs=marking_id,
+            created_by_ref=identity_id
        )

        tactics.append(tactic)

    return tactics
+
--- a/CODE/DISARM-STIX2/objects/technique.py
+++ b/CODE/DISARM-STIX2/objects/technique.py
@ -4,7 +4,7 @@ import pandas as pd
 from objects import identity, marking_definition


-def make_disarm_techniques(data):
+def make_disarm_techniques(data, identity_id, marking_id):
    """Create all DISARM Techniques objects.

    Args:
@ -20,7 +20,7 @@ def make_disarm_techniques(data):
        external_references = [
            {
                'external_id': f'{t[0]}'.strip(),
-                'source_name': 'DISARM',
+                'source_name': 'mitre-attack',
                'url': f'https://github.com/DISARMFoundation/DISARM_framework/blob/master/techniques/{t[0]}.md'
            }
        ]
@ -45,12 +45,12 @@ def make_disarm_techniques(data):
            name=f"{t[1]}",
            description=f"{t[4]}",
            external_references=external_references,
-            object_marking_refs=objects.marking_definition.make_disarm_marking_definition(),
-            created_by_ref=objects.identity.make_disarm_identity(),
+            object_marking_refs=marking_id,
+            created_by_ref=identity_id,
            kill_chain_phases=kill_chain_phases,
            custom_properties={
                'x_mitre_platforms': x_mitre_platforms,
-                'x_mitre_version': "1.0",
+                'x_mitre_version': "2.1",
                'x_mitre_is_subtechnique': x_mitre_is_subtechnique
            }
        )
--- a/DISARM_MASTER_DATA/DISARM_FRAMEWORKS_MASTER.xlsx
+++ b/DISARM_MASTER_DATA/DISARM_FRAMEWORKS_MASTER.xlsx