From 5b9fa97e434578b95b1762cfb317067f961aefd2 Mon Sep 17 00:00:00 2001 From: SHolzhauer Date: Thu, 29 Oct 2020 23:23:40 +0100 Subject: [PATCH] Adding class for intelligence Starting to setup for the ECS fields for intelligence as discussed in [the RFC](https://github.com/elastic/ecs/pull/1037) --- tip/ioc.py | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tip/ioc.py b/tip/ioc.py index 5b122c5..a0d9265 100644 --- a/tip/ioc.py +++ b/tip/ioc.py @@ -1,3 +1,4 @@ +from datetime import datetime import json import re import hashlib @@ -48,5 +49,56 @@ def _add_docid(self): self.id = hashlib.sha1(json.dumps(self.ioc).encode('utf-8')).hexdigest() +class Intel: + + def __init__(self, + original=None, + event_type=None, + event_reference=None, + event_module=None, + event_dataset=None, + threat_first_seen=datetime.now().strftime("%m-%d-%Y %H:%M:%S"), + threat_last_seen=datetime.now().strftime("%m-%d-%Y %H:%M:%S"), + threat_last_update=None, + threat_type=None): + """""" + self.intel = { + "event": { + "kind": "enrichment", + "category": "threat", + "type": event_type, + "reference": event_reference, + "module": event_module, + "dataset": event_dataset, + "severity": 0, + "risk_score": 0, + "original": original + }, + "threat": { + "time": { + "first_seen": threat_first_seen, + "last_seen": threat_last_seen, + "last_updated": threat_last_update + }, + "sightings": 0, + "type": threat_type + } + } + + def add_mitre(self, tactic=None, technique=None): + """ + + :param tactic: Tactic ID e.g TA0002 + :param technique: Technique ID e.g T1059 + :return: + """ + + if tactic or technique: + self.intel["threat"]["framework"] = "MITRE ATT&CK" + + if tactic: + self.intel["threat"]["tactic"]["id"] = tactic + + class SchemaException(Exception): pass \ No newline at end of file