update stix generator for OpenCTI compatability

CODE/DISARM-STIX2/main.py

@@ -11,7 +11,7 @@ from stix2 import (Bundle, AttackPattern, ThreatActor, IntrusionSet, Relationshi
 from stix2.properties import (ReferenceProperty, ListProperty, StringProperty, TimestampProperty, BooleanProperty, IntegerProperty)
 
 import helpers
-from objects import tactic, technique, matrix, bundle, relationship
+from objects import tactic, technique, matrix, bundle, relationship, identity, marking_definition
 from helpers import xlsx, file
 
 
@@ -23,21 +23,25 @@ def generate_disarm_stix():
     """
     data = helpers.xlsx.load_excel_data("../DISARM_MASTER_DATA/DISARM_FRAMEWORKS_MASTER.xlsx")
 
-    tactics = tactic.make_disarm_tactics(data)
-    techniques = technique.make_disarm_techniques(data)
-    subtechnique_relationships = relationship.make_disarm_subtechnique_relationships(techniques)
+    disarm_identity = identity.make_disarm_identity()
+    identity_id = disarm_identity[0]["id"]
+    disarm_marking_definition = marking_definition.make_disarm_marking_definition(identity_id)
+    marking_id = disarm_marking_definition[0]["id"]
+
+    tactics = tactic.make_disarm_tactics(data, identity_id, marking_id)
+    techniques = technique.make_disarm_techniques(data, identity_id, marking_id)
+    subtechnique_relationships = relationship.make_disarm_subtechnique_relationships(techniques, marking_id)
     navigator_matrix = matrix.make_disarm_matrix(tactics)
 
     stix_objects = []
     stix_objects.append(tactics)
     stix_objects.append(techniques)
     stix_objects.append(subtechnique_relationships)
+    stix_objects.append(disarm_identity)
+    stix_objects.append(disarm_marking_definition)
     stix_objects.append(navigator_matrix)
-
     stix_objects = [item for sublist in stix_objects for item in sublist]
-
     disarm_bundle = bundle.make_stix_bundle(stix_objects)
-
     helpers.file.clean_output_dir()
     helpers.file.write_files(stix_objects)
     helpers.file.write_bundle(disarm_bundle, "DISARM")

CODE/DISARM-STIX2/objects/identity.py

@@ -13,4 +13,4 @@ def make_disarm_identity():
         identity_class="organization",
         description="DISARM is a framework designed for describing and understanding disinformation incidents.",
     )
-    return identity
+    return [identity]

CODE/DISARM-STIX2/objects/marking_definition.py

@@ -2,10 +2,11 @@ from stix2 import MarkingDefinition, StatementMarking
 from objects import identity
 
 
-def make_disarm_marking_definition():
+def make_disarm_marking_definition(identity_id):
     marking_definition = MarkingDefinition(
         definition_type="statement",
-        created_by_ref=identity.make_disarm_identity(),
+        created_by_ref=identity_id,
+        name="DISARM Foundation",
         definition=StatementMarking(statement="CC-BY-SA-4.0 DISARM Foundation")
     )
-    return marking_definition
+    return [marking_definition]

CODE/DISARM-STIX2/objects/relationship.py

@@ -1,7 +1,7 @@
 from stix2 import Relationship, properties, ExternalReference
 
 
-def make_disarm_subtechnique_relationship(source, target):
+def make_disarm_subtechnique_relationship(source, target, marking_id):
     """Creates a relationship between the parent technique and sub-technique.
 
     Args:
@@ -15,13 +15,15 @@ def make_disarm_subtechnique_relationship(source, target):
     relationship = Relationship(
         source_ref=source,
         target_ref=target,
-        relationship_type="subtechnique-of"
+        description="",
+        relationship_type="subtechnique-of",
+        object_marking_refs=marking_id
     )
 
     return relationship
 
 
-def make_disarm_subtechnique_relationships(techniques):
+def make_disarm_subtechnique_relationships(techniques, marking_id):
     """Creates a map of technique and sub-technique.
 
     Args:
@@ -39,7 +41,7 @@ def make_disarm_subtechnique_relationships(techniques):
     for technique in techniques:
         if technique["x_mitre_is_subtechnique"]:
             technique_id = technique_ids[technique["external_references"][0]["external_id"].split(".")[0]]
-            relationship = make_disarm_subtechnique_relationship(technique["id"], technique_id)
+            relationship = make_disarm_subtechnique_relationship(technique["id"], technique_id, marking_id)
             relationships.append(relationship)
 
     return relationships

CODE/DISARM-STIX2/objects/tactic.py

@@ -21,7 +21,7 @@ class Tactic(object):
             raise ValueError("'%s' is not a recognized DISARM Tactic." % x_mitre_shortname)
 
 
-def make_disarm_tactics(data):
+def make_disarm_tactics(data, identity_id, marking_id):
     """Create all DISARM tactic objects.
 
     Args:
@@ -46,10 +46,11 @@ def make_disarm_tactics(data):
             description=f"{t[5]}",
             x_mitre_shortname=f'{t[1].lower().replace(" ", "-")}',
             external_references=external_references,
-            object_marking_refs=objects.marking_definition.make_disarm_marking_definition(),
-            created_by_ref=objects.identity.make_disarm_identity()
+            object_marking_refs=marking_id,
+            created_by_ref=identity_id
         )
 
         tactics.append(tactic)
 
     return tactics
+

CODE/DISARM-STIX2/objects/technique.py

@@ -4,7 +4,7 @@ import pandas as pd
 from objects import identity, marking_definition
 
 
-def make_disarm_techniques(data):
+def make_disarm_techniques(data, identity_id, marking_id):
     """Create all DISARM Techniques objects.
 
     Args:
@@ -20,7 +20,7 @@ def make_disarm_techniques(data):
         external_references = [
             {
                 'external_id': f'{t[0]}'.strip(),
-                'source_name': 'DISARM',
+                'source_name': 'mitre-attack',
                 'url': f'https://github.com/DISARMFoundation/DISARM_framework/blob/master/techniques/{t[0]}.md'
             }
         ]
@@ -45,12 +45,12 @@ def make_disarm_techniques(data):
             name=f"{t[1]}",
             description=f"{t[4]}",
             external_references=external_references,
-            object_marking_refs=objects.marking_definition.make_disarm_marking_definition(),
-            created_by_ref=objects.identity.make_disarm_identity(),
+            object_marking_refs=marking_id,
+            created_by_ref=identity_id,
             kill_chain_phases=kill_chain_phases,
             custom_properties={
                 'x_mitre_platforms': x_mitre_platforms,
-                'x_mitre_version': "1.0",
+                'x_mitre_version': "2.1",
                 'x_mitre_is_subtechnique': x_mitre_is_subtechnique
             }
         )