active_stix 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (289) hide show
  1. checksums.yaml +7 -0
  2. data/MIT-LICENSE +20 -0
  3. data/README.md +28 -0
  4. data/Rakefile +32 -0
  5. data/app/assets/config/active_stix_manifest.js +2 -0
  6. data/app/assets/javascripts/active_stix/application.js +15 -0
  7. data/app/assets/javascripts/active_stix/artifacts.js +2 -0
  8. data/app/assets/javascripts/active_stix/attack_patterns.js +2 -0
  9. data/app/assets/javascripts/active_stix/bcc_refs.js +2 -0
  10. data/app/assets/javascripts/active_stix/bundled_objects.js +2 -0
  11. data/app/assets/javascripts/active_stix/bundles.js +2 -0
  12. data/app/assets/javascripts/active_stix/campaigns.js +2 -0
  13. data/app/assets/javascripts/active_stix/course_of_actions.js +2 -0
  14. data/app/assets/javascripts/active_stix/cyber_observables.js +2 -0
  15. data/app/assets/javascripts/active_stix/email_messages.js +2 -0
  16. data/app/assets/javascripts/active_stix/external_references.js +2 -0
  17. data/app/assets/javascripts/active_stix/files.js +2 -0
  18. data/app/assets/javascripts/active_stix/identities.js +2 -0
  19. data/app/assets/javascripts/active_stix/indicator_labels.js +2 -0
  20. data/app/assets/javascripts/active_stix/indicators.js +2 -0
  21. data/app/assets/javascripts/active_stix/intrusion_sets.js +2 -0
  22. data/app/assets/javascripts/active_stix/kill_chain_phases.js +2 -0
  23. data/app/assets/javascripts/active_stix/kill_chains.js +2 -0
  24. data/app/assets/javascripts/active_stix/malwares.js +2 -0
  25. data/app/assets/javascripts/active_stix/marking_definitions.js +2 -0
  26. data/app/assets/javascripts/active_stix/observed_data.js +2 -0
  27. data/app/assets/javascripts/active_stix/open_vocabularies.js +2 -0
  28. data/app/assets/javascripts/active_stix/phases.js +2 -0
  29. data/app/assets/javascripts/active_stix/recipients.js +2 -0
  30. data/app/assets/javascripts/active_stix/relationships.js +2 -0
  31. data/app/assets/javascripts/active_stix/reports.js +2 -0
  32. data/app/assets/javascripts/active_stix/threat_actors.js +2 -0
  33. data/app/assets/javascripts/active_stix/tools.js +2 -0
  34. data/app/assets/javascripts/active_stix/urls.js +2 -0
  35. data/app/assets/javascripts/active_stix/users.js +2 -0
  36. data/app/assets/stylesheets/active_stix/application.css +15 -0
  37. data/app/assets/stylesheets/active_stix/artifacts.css +4 -0
  38. data/app/assets/stylesheets/active_stix/attack_patterns.css +4 -0
  39. data/app/assets/stylesheets/active_stix/bcc_refs.css +4 -0
  40. data/app/assets/stylesheets/active_stix/bundled_objects.css +4 -0
  41. data/app/assets/stylesheets/active_stix/bundles.css +4 -0
  42. data/app/assets/stylesheets/active_stix/campaigns.css +4 -0
  43. data/app/assets/stylesheets/active_stix/course_of_actions.css +4 -0
  44. data/app/assets/stylesheets/active_stix/cyber_observables.css +4 -0
  45. data/app/assets/stylesheets/active_stix/email_messages.css +4 -0
  46. data/app/assets/stylesheets/active_stix/external_references.css +4 -0
  47. data/app/assets/stylesheets/active_stix/files.css +4 -0
  48. data/app/assets/stylesheets/active_stix/identities.css +4 -0
  49. data/app/assets/stylesheets/active_stix/indicator_labels.css +4 -0
  50. data/app/assets/stylesheets/active_stix/indicators.css +4 -0
  51. data/app/assets/stylesheets/active_stix/intrusion_sets.css +4 -0
  52. data/app/assets/stylesheets/active_stix/kill_chain_phases.css +4 -0
  53. data/app/assets/stylesheets/active_stix/kill_chains.css +4 -0
  54. data/app/assets/stylesheets/active_stix/malwares.css +4 -0
  55. data/app/assets/stylesheets/active_stix/marking_definitions.css +4 -0
  56. data/app/assets/stylesheets/active_stix/observed_data.css +4 -0
  57. data/app/assets/stylesheets/active_stix/open_vocabularies.css +4 -0
  58. data/app/assets/stylesheets/active_stix/phases.css +4 -0
  59. data/app/assets/stylesheets/active_stix/recipients.css +4 -0
  60. data/app/assets/stylesheets/active_stix/relationships.css +4 -0
  61. data/app/assets/stylesheets/active_stix/reports.css +4 -0
  62. data/app/assets/stylesheets/active_stix/threat_actors.css +4 -0
  63. data/app/assets/stylesheets/active_stix/tools.css +4 -0
  64. data/app/assets/stylesheets/active_stix/urls.css +4 -0
  65. data/app/assets/stylesheets/active_stix/users.css +4 -0
  66. data/app/assets/stylesheets/scaffold.css +80 -0
  67. data/app/controllers/active_stix/application_controller.rb +5 -0
  68. data/app/controllers/active_stix/artifacts_controller.rb +62 -0
  69. data/app/controllers/active_stix/attack_patterns_controller.rb +27 -0
  70. data/app/controllers/active_stix/bcc_refs_controller.rb +62 -0
  71. data/app/controllers/active_stix/bundled_objects_controller.rb +62 -0
  72. data/app/controllers/active_stix/bundles_controller.rb +11 -0
  73. data/app/controllers/active_stix/campaigns_controller.rb +74 -0
  74. data/app/controllers/active_stix/course_of_actions_controller.rb +62 -0
  75. data/app/controllers/active_stix/cyber_observables_controller.rb +62 -0
  76. data/app/controllers/active_stix/email_addresses_controller.rb +74 -0
  77. data/app/controllers/active_stix/email_messages_controller.rb +26 -0
  78. data/app/controllers/active_stix/external_references_controller.rb +62 -0
  79. data/app/controllers/active_stix/files_controller.rb +74 -0
  80. data/app/controllers/active_stix/identities_controller.rb +128 -0
  81. data/app/controllers/active_stix/indicator_labels_controller.rb +62 -0
  82. data/app/controllers/active_stix/indicators_controller.rb +62 -0
  83. data/app/controllers/active_stix/intrusion_sets_controller.rb +62 -0
  84. data/app/controllers/active_stix/kill_chain_phases_controller.rb +62 -0
  85. data/app/controllers/active_stix/kill_chains_controller.rb +62 -0
  86. data/app/controllers/active_stix/malwares_controller.rb +62 -0
  87. data/app/controllers/active_stix/marking_definitions_controller.rb +62 -0
  88. data/app/controllers/active_stix/observed_data_controller.rb +62 -0
  89. data/app/controllers/active_stix/open_vocabularies_controller.rb +62 -0
  90. data/app/controllers/active_stix/phases_controller.rb +62 -0
  91. data/app/controllers/active_stix/recipients_controller.rb +62 -0
  92. data/app/controllers/active_stix/relationships_controller.rb +62 -0
  93. data/app/controllers/active_stix/reports_controller.rb +62 -0
  94. data/app/controllers/active_stix/threat_actors_controller.rb +75 -0
  95. data/app/controllers/active_stix/tools_controller.rb +62 -0
  96. data/app/controllers/active_stix/urls_controller.rb +62 -0
  97. data/app/controllers/active_stix/user_accounts_controller.rb +74 -0
  98. data/app/controllers/active_stix/users_controller.rb +62 -0
  99. data/app/helpers/active_stix/application_helper.rb +4 -0
  100. data/app/helpers/active_stix/artifacts_helper.rb +4 -0
  101. data/app/helpers/active_stix/attack_patterns_helper.rb +4 -0
  102. data/app/helpers/active_stix/bcc_refs_helper.rb +4 -0
  103. data/app/helpers/active_stix/bundled_objects_helper.rb +4 -0
  104. data/app/helpers/active_stix/bundles_helper.rb +4 -0
  105. data/app/helpers/active_stix/campaigns_helper.rb +4 -0
  106. data/app/helpers/active_stix/course_of_actions_helper.rb +4 -0
  107. data/app/helpers/active_stix/cyber_observables_helper.rb +4 -0
  108. data/app/helpers/active_stix/email_messages_helper.rb +4 -0
  109. data/app/helpers/active_stix/external_references_helper.rb +4 -0
  110. data/app/helpers/active_stix/files_helper.rb +4 -0
  111. data/app/helpers/active_stix/identities_helper.rb +4 -0
  112. data/app/helpers/active_stix/indicator_labels_helper.rb +4 -0
  113. data/app/helpers/active_stix/indicators_helper.rb +4 -0
  114. data/app/helpers/active_stix/intrusion_sets_helper.rb +4 -0
  115. data/app/helpers/active_stix/kill_chain_phases_helper.rb +4 -0
  116. data/app/helpers/active_stix/kill_chains_helper.rb +4 -0
  117. data/app/helpers/active_stix/malwares_helper.rb +4 -0
  118. data/app/helpers/active_stix/marking_definitions_helper.rb +4 -0
  119. data/app/helpers/active_stix/observed_data_helper.rb +4 -0
  120. data/app/helpers/active_stix/open_vocabularies_helper.rb +4 -0
  121. data/app/helpers/active_stix/phases_helper.rb +4 -0
  122. data/app/helpers/active_stix/recipients_helper.rb +4 -0
  123. data/app/helpers/active_stix/relationships_helper.rb +4 -0
  124. data/app/helpers/active_stix/reports_helper.rb +4 -0
  125. data/app/helpers/active_stix/threat_actors_helper.rb +4 -0
  126. data/app/helpers/active_stix/tools_helper.rb +4 -0
  127. data/app/helpers/active_stix/urls_helper.rb +4 -0
  128. data/app/helpers/active_stix/users_helper.rb +4 -0
  129. data/app/jobs/active_stix/application_job.rb +4 -0
  130. data/app/mailers/active_stix/application_mailer.rb +6 -0
  131. data/app/models/active_stix/application_record.rb +5 -0
  132. data/app/models/active_stix/artifact.rb +23 -0
  133. data/app/models/active_stix/attack_pattern.rb +150 -0
  134. data/app/models/active_stix/bcc_ref.rb +6 -0
  135. data/app/models/active_stix/bundle.rb +108 -0
  136. data/app/models/active_stix/bundled_object.rb +4 -0
  137. data/app/models/active_stix/campaign.rb +65 -0
  138. data/app/models/active_stix/cc_ref.rb +6 -0
  139. data/app/models/active_stix/course_of_action.rb +54 -0
  140. data/app/models/active_stix/cyber_observable.rb +4 -0
  141. data/app/models/active_stix/email_address.rb +27 -0
  142. data/app/models/active_stix/email_message.rb +339 -0
  143. data/app/models/active_stix/external_reference.rb +48 -0
  144. data/app/models/active_stix/file.rb +2 -0
  145. data/app/models/active_stix/identity.rb +141 -0
  146. data/app/models/active_stix/indicator.rb +58 -0
  147. data/app/models/active_stix/indicator_label.rb +4 -0
  148. data/app/models/active_stix/intrusion_set.rb +69 -0
  149. data/app/models/active_stix/kill_chain.rb +7 -0
  150. data/app/models/active_stix/kill_chain_phase.rb +6 -0
  151. data/app/models/active_stix/label.rb +17 -0
  152. data/app/models/active_stix/label_malware.rb +4 -0
  153. data/app/models/active_stix/label_report.rb +4 -0
  154. data/app/models/active_stix/label_tool.rb +4 -0
  155. data/app/models/active_stix/malware.rb +98 -0
  156. data/app/models/active_stix/marking_definition.rb +21 -0
  157. data/app/models/active_stix/markup.rb +6 -0
  158. data/app/models/active_stix/object_marking.rb +11 -0
  159. data/app/models/active_stix/observed_datum.rb +67 -0
  160. data/app/models/active_stix/open_vocabulary.rb +8 -0
  161. data/app/models/active_stix/phase.rb +41 -0
  162. data/app/models/active_stix/recipient.rb +4 -0
  163. data/app/models/active_stix/reference_item.rb +4 -0
  164. data/app/models/active_stix/relationship.rb +95 -0
  165. data/app/models/active_stix/report.rb +93 -0
  166. data/app/models/active_stix/report_object.rb +9 -0
  167. data/app/models/active_stix/threat_actor.rb +139 -0
  168. data/app/models/active_stix/to_ref.rb +6 -0
  169. data/app/models/active_stix/tool.rb +112 -0
  170. data/app/models/active_stix/url.rb +15 -0
  171. data/app/models/active_stix/user.rb +4 -0
  172. data/app/models/active_stix/user_account.rb +3 -0
  173. data/app/views/active_stix/artifacts/_form.html.erb +57 -0
  174. data/app/views/active_stix/artifacts/edit.html.erb +6 -0
  175. data/app/views/active_stix/artifacts/index.html.erb +41 -0
  176. data/app/views/active_stix/artifacts/new.html.erb +5 -0
  177. data/app/views/active_stix/artifacts/show.html.erb +44 -0
  178. data/app/views/active_stix/attack_patterns/_form.html.erb +37 -0
  179. data/app/views/active_stix/attack_patterns/edit.html.erb +2 -0
  180. data/app/views/active_stix/attack_patterns/index.html.erb +2 -0
  181. data/app/views/active_stix/attack_patterns/new.html.erb +2 -0
  182. data/app/views/active_stix/attack_patterns/show.html.erb +140 -0
  183. data/app/views/active_stix/bcc_refs/_form.html.erb +27 -0
  184. data/app/views/active_stix/bcc_refs/edit.html.erb +6 -0
  185. data/app/views/active_stix/bcc_refs/index.html.erb +29 -0
  186. data/app/views/active_stix/bcc_refs/new.html.erb +5 -0
  187. data/app/views/active_stix/bcc_refs/show.html.erb +14 -0
  188. data/app/views/active_stix/bundles/index.html.erb +1 -0
  189. data/app/views/active_stix/bundles/show.html.erb +7 -0
  190. data/app/views/active_stix/campaigns/_form.html.erb +42 -0
  191. data/app/views/active_stix/campaigns/_stix_campaign.json.jbuilder +2 -0
  192. data/app/views/active_stix/campaigns/edit.html.erb +6 -0
  193. data/app/views/active_stix/campaigns/index.html.erb +35 -0
  194. data/app/views/active_stix/campaigns/index.json.jbuilder +1 -0
  195. data/app/views/active_stix/campaigns/new.html.erb +5 -0
  196. data/app/views/active_stix/campaigns/show.html.erb +29 -0
  197. data/app/views/active_stix/campaigns/show.json.jbuilder +1 -0
  198. data/app/views/active_stix/email_messages/_form.html.erb +62 -0
  199. data/app/views/active_stix/email_messages/_stix_email_message.json.jbuilder +2 -0
  200. data/app/views/active_stix/email_messages/edit.html.erb +6 -0
  201. data/app/views/active_stix/email_messages/index.html.erb +43 -0
  202. data/app/views/active_stix/email_messages/index.json.jbuilder +1 -0
  203. data/app/views/active_stix/email_messages/new.html.erb +5 -0
  204. data/app/views/active_stix/email_messages/show.html.erb +165 -0
  205. data/app/views/active_stix/email_messages/show.json.jbuilder +1 -0
  206. data/app/views/active_stix/files/_form.html.erb +92 -0
  207. data/app/views/active_stix/files/_stix_file.json.jbuilder +2 -0
  208. data/app/views/active_stix/files/edit.html.erb +6 -0
  209. data/app/views/active_stix/files/index.html.erb +55 -0
  210. data/app/views/active_stix/files/index.json.jbuilder +1 -0
  211. data/app/views/active_stix/files/new.html.erb +5 -0
  212. data/app/views/active_stix/files/show.html.erb +79 -0
  213. data/app/views/active_stix/files/show.json.jbuilder +1 -0
  214. data/app/views/active_stix/identities/_form.html.erb +27 -0
  215. data/app/views/active_stix/identities/_individual.html.erb +100 -0
  216. data/app/views/active_stix/identities/_organization.html.erb +72 -0
  217. data/app/views/active_stix/identities/_received_email_messages.html.erb +27 -0
  218. data/app/views/active_stix/identities/_sent_email_messages.html.erb +27 -0
  219. data/app/views/active_stix/identities/_threat_icons.html.erb +3 -0
  220. data/app/views/active_stix/identities/edit.html.erb +2 -0
  221. data/app/views/active_stix/identities/index.html.erb +37 -0
  222. data/app/views/active_stix/identities/new.html.erb +5 -0
  223. data/app/views/active_stix/identities/show.html.erb +15 -0
  224. data/app/views/active_stix/layouts/active_stix/application.html.erb +16 -0
  225. data/app/views/active_stix/recipients/_form.html.erb +27 -0
  226. data/app/views/active_stix/recipients/edit.html.erb +6 -0
  227. data/app/views/active_stix/recipients/index.html.erb +29 -0
  228. data/app/views/active_stix/recipients/new.html.erb +5 -0
  229. data/app/views/active_stix/recipients/show.html.erb +14 -0
  230. data/app/views/active_stix/threat_actors/_form.html.erb +32 -0
  231. data/app/views/active_stix/threat_actors/_stix_threat_actor.json.jbuilder +2 -0
  232. data/app/views/active_stix/threat_actors/edit.html.erb +6 -0
  233. data/app/views/active_stix/threat_actors/flags.html.erb +184 -0
  234. data/app/views/active_stix/threat_actors/index.html.erb +26 -0
  235. data/app/views/active_stix/threat_actors/index.json.jbuilder +1 -0
  236. data/app/views/active_stix/threat_actors/new.html.erb +5 -0
  237. data/app/views/active_stix/threat_actors/show.html.erb +4 -0
  238. data/app/views/active_stix/threat_actors/show.json.jbuilder +1 -0
  239. data/app/views/layouts/active_stix/application.html.erb +16 -0
  240. data/config/routes.rb +39 -0
  241. data/db/migrate/20191204200025_create_active_stix_bundled_objects.rb +11 -0
  242. data/db/migrate/20191204213707_create_active_stix_bundles.rb +10 -0
  243. data/db/migrate/20191204213802_create_active_stix_campaigns.rb +15 -0
  244. data/db/migrate/20191204213926_create_active_stix_course_of_actions.rb +12 -0
  245. data/db/migrate/20191204214020_create_active_stix_cyber_observables.rb +11 -0
  246. data/db/migrate/20191204214955_create_active_stix_email_messages.rb +20 -0
  247. data/db/migrate/20191204215029_create_active_stix_external_references.rb +12 -0
  248. data/db/migrate/20191204215302_create_active_stix_files.rb +23 -0
  249. data/db/migrate/20191204215419_create_active_stix_identities.rb +13 -0
  250. data/db/migrate/20191204215542_create_active_stix_indicator_labels.rb +10 -0
  251. data/db/migrate/20191204215637_create_active_stix_indicators.rb +16 -0
  252. data/db/migrate/20191204215849_create_active_stix_intrusion_sets.rb +15 -0
  253. data/db/migrate/20191204215929_create_active_stix_kill_chain_phases.rb +10 -0
  254. data/db/migrate/20191204215951_create_active_stix_kill_chains.rb +9 -0
  255. data/db/migrate/20191204220149_create_active_stix_malwares.rb +12 -0
  256. data/db/migrate/20191204220539_create_active_stix_marking_definitions.rb +12 -0
  257. data/db/migrate/20191204220853_create_active_stix_observed_data.rb +12 -0
  258. data/db/migrate/20191204220917_create_active_stix_open_vocabularies.rb +9 -0
  259. data/db/migrate/20191204220952_create_active_stix_phases.rb +11 -0
  260. data/db/migrate/20191204221129_create_active_stix_recipients.rb +10 -0
  261. data/db/migrate/20191204221227_create_active_stix_relationships.rb +16 -0
  262. data/db/migrate/20191204221323_create_active_stix_report_objects.rb +11 -0
  263. data/db/migrate/20191204221359_create_active_stix_reports.rb +14 -0
  264. data/db/migrate/20191204221425_create_active_stix_threat_actors.rb +11 -0
  265. data/db/migrate/20191204221454_create_active_stix_tools.rb +12 -0
  266. data/db/migrate/20191204221639_create_active_stix_urls.rb +9 -0
  267. data/db/migrate/20191204221849_create_active_stix_users.rb +22 -0
  268. data/db/migrate/20191205182234_create_active_stix_bcc_refs.rb +10 -0
  269. data/db/migrate/20191205182255_create_active_stix_cc_refs.rb +10 -0
  270. data/db/migrate/20191205182316_create_active_stix_to_refs.rb +10 -0
  271. data/db/migrate/20191212203611_add_spec_version_to_bundles.rb +5 -0
  272. data/db/migrate/20191212215136_create_active_stix_attack_patterns.rb +12 -0
  273. data/db/migrate/20191212220222_create_active_stix_reference_items.rb +11 -0
  274. data/db/migrate/20191213135204_create_active_stix_labels.rb +10 -0
  275. data/db/migrate/20191213140951_create_active_stix_markups.rb +11 -0
  276. data/db/migrate/20191221210537_fix_observed_data.rb +6 -0
  277. data/db/migrate/20191221223602_create_active_stix_artifacts.rb +16 -0
  278. data/db/migrate/20191223075550_change_artifact_ref_to_string.rb +5 -0
  279. data/db/migrate/20191223154000_add_stix_id_to_email_messages.rb +5 -0
  280. data/db/migrate/20200114162245_add_labels_to_active_stix_identities.rb +5 -0
  281. data/db/migrate/20200404223006_add_aliases_to_tools.rb +5 -0
  282. data/db/migrate/20200404223047_add_aliases_to_attack_patterns.rb +5 -0
  283. data/db/migrate/20200404223158_add_aliases_to_malwares.rb +5 -0
  284. data/db/migrate/20200404223210_add_aliases_to_threat_actors.rb +5 -0
  285. data/lib/active_stix.rb +8 -0
  286. data/lib/active_stix/engine.rb +13 -0
  287. data/lib/active_stix/version.rb +3 -0
  288. data/lib/tasks/active_stix_tasks.rake +4 -0
  289. metadata +358 -0
@@ -0,0 +1,21 @@
1
+ # todo
2
+ class ActiveStix::MarkingDefinition < ApplicationRecord
3
+
4
+ def self.ingest_json(obj)
5
+ marking_def = find_or_create_by(stix_id:obj['id'])
6
+ marking_def
7
+ end
8
+
9
+ def self.create_by_id(id, parent_obj_id = nil)
10
+ if parent_obj_id == nil
11
+ mark_def = find_or_create_by(stix_id:id)
12
+ else
13
+ mark_def = find_or_create_by(stix_id:id, relationship_ref: parent_obj_id)
14
+ end
15
+ mark_def
16
+ end
17
+
18
+ def convert_to_json
19
+ stix_id
20
+ end
21
+ end
@@ -0,0 +1,6 @@
1
+ module ActiveStix
2
+ class Markup < ApplicationRecord
3
+ belongs_to :label
4
+ belongs_to :labelable, polymorphic: true
5
+ end
6
+ end
@@ -0,0 +1,11 @@
1
+ class ActiveStix::ObjectMarking < ApplicationRecord
2
+ # belongs_to :relationship, :class_name => 'ActiveStix::Relationship', foreign_key: :active_stix_relationship_id, primary_key: :active_stix_id
3
+ # belongs_to :marking_definition, :class_name => 'ActiveStix::MarkingDefinition', foreign_key: :active_stix_marking_defintion_id, primary_key: :active_stix_id
4
+ # todo
5
+
6
+ def self.string_ingest(marking_id, relationship_id)
7
+ marking_definition = ActiveStix::MarkingDefinition.find_or_create_by(stix_id: marking_id)
8
+ relationship = ActiveStix::Relationship.find_or_create_by(stix_id: relationship_id)
9
+ find_or_create_by(marking_definition:marking_definition, relationship:relationship)
10
+ end
11
+ end
@@ -0,0 +1,67 @@
1
+ module ActiveStix
2
+ class ObservedDatum < ApplicationRecord
3
+ has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
4
+ has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
5
+ has_many :cyber_observables, :class_name => 'ActiveStix::CyberObservable', foreign_key: 'observed_datum_ref', primary_key: 'stix_id'
6
+
7
+ before_create do
8
+ self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
9
+ end
10
+
11
+ def type
12
+ 'observed-data'
13
+ end
14
+
15
+ def mail_server
16
+ cyber_observables.first.mail_server
17
+ end
18
+
19
+ def self.wrap_object(object)
20
+ if object.observed_data.count > 0
21
+ update_observed_data(object)
22
+ else
23
+ create_new_observed_data(object)
24
+ end
25
+ end
26
+
27
+ def self.update_observed_data(object)
28
+ object.observed_data.each do |od|
29
+ od.update_attribute('last_observed', DateTime.now)
30
+ end
31
+ end
32
+
33
+ def number_observed
34
+ self.cyber_observables.count
35
+ end
36
+
37
+ def self.create_new_observed_data(object)
38
+ current_time = DateTime.now
39
+ od = ActiveStix::ObservedDatum.create(
40
+ first_observed: current_time,
41
+ last_observed: current_time
42
+ )
43
+ ActiveStix::CyberObservable.create(observed_datum: od, cyber_observable_object: object)
44
+ end
45
+
46
+
47
+ def as_stix
48
+ as_json(only: []).tap do |hash|
49
+ hash["id"] = stix_id
50
+ hash["type"] = type
51
+ hash["created"] = created_at.rfc3339(3)
52
+ hash["modified"] = updated_at.rfc3339(3)
53
+ object_dict = {}
54
+ cyber_observables.each_with_index {|co, i|
55
+ object_dict[i.to_s] = co.cyber_observable_object.as_stix
56
+ }
57
+
58
+ hash["first_observed"] = cyber_observables.order("created_at ASC").limit(1).first.created_at.rfc3339(3)
59
+ hash["last_observed"] = cyber_observables.order("created_at DESC").limit(1).last.created_at.rfc3339(3)
60
+ hash["number_observed"] = cyber_observables.count
61
+
62
+ hash["objects"] = object_dict
63
+ hash["spec_version"] = "2.0"
64
+ end
65
+ end
66
+ end
67
+ end
@@ -0,0 +1,8 @@
1
+ class ActiveStix::OpenVocabulary < ApplicationRecord
2
+ #belongs_to :labels, class_name: "ActiveStix::Label", foreign_key: :active_stix_open_vocabulary_id
3
+ has_many :labels
4
+
5
+ def convert_to_json
6
+ name
7
+ end
8
+ end
@@ -0,0 +1,41 @@
1
+ class ActiveStix::Phase < ApplicationRecord
2
+ belongs_to :kill_chain
3
+ has_many :kill_chain_phases
4
+ has_many :attack_patterns, class_name: 'ActiveStix::AttackPattern', through: :kill_chain_phases, foreign_key: 'attack_pattern_ref', primary_key: 'stix_id'
5
+
6
+ @@rank_map = {
7
+ 'initial-access' => 0,
8
+ 'execution' => 1,
9
+ 'persistence' => 2,
10
+ 'privilege-escalation' => 3,
11
+ 'defense-evasion' => 4,
12
+ 'credential-access' => 5,
13
+ 'discovery' => 6,
14
+ 'lateral-movement' => 7,
15
+ 'collection' => 8,
16
+ 'command-and-control' => 9,
17
+ 'exfiltration' => 10,
18
+ 'impact' => 11
19
+ }
20
+
21
+ def self.ingest_json(obj)
22
+ kill_chain = ActiveStix::KillChain.find_or_create_by(name: obj['kill_chain_name'])
23
+ phase = kill_chain.phases.find_or_create_by(name: obj['phase_name'], rank:@@rank_map[obj['phase_name']])
24
+ phase
25
+ end
26
+
27
+ def as_stix
28
+ as_json(only: []).tap do |hash|
29
+ hash["phase_name"] = name
30
+ hash["kill_chain_name"] = kill_chain.name
31
+ end
32
+ end
33
+
34
+ def convert_to_json
35
+ {
36
+ :kill_chain_name => kill_chain.convert_to_json,
37
+ :phase_name => name
38
+ }
39
+ end
40
+
41
+ end
@@ -0,0 +1,4 @@
1
+ class ActiveStix::Recipient < ActiveRecord::Base
2
+ belongs_to :email_address
3
+ belongs_to :email_message
4
+ end
@@ -0,0 +1,4 @@
1
+ class ActiveStix::ReferenceItem < ApplicationRecord
2
+ belongs_to :external_reference, :class_name => 'ActiveStix::ExternalReference', foreign_key: 'external_reference_id'
3
+ belongs_to :referrer, polymorphic: true
4
+ end
@@ -0,0 +1,95 @@
1
+ class ActiveStix::Relationship < ApplicationRecord
2
+ belongs_to :source, :polymorphic => true, foreign_key: 'source_ref', primary_key: 'stix_id'
3
+ belongs_to :target, :polymorphic => true, foreign_key: 'target_ref', primary_key: 'stix_id'
4
+ #has_many :marking_definitions, :class_name => 'ActiveStix::MarkingDefinition', foreign_key: 'relationship_ref', primary_key: 'stix_id'
5
+ #has_many :object_markings, :class_name => 'ActiveStix::ObjectMarking', foreign_key: 'stix_relationship_id', primary_key: 'stix_id'
6
+
7
+ has_many :reference_object_marking_relationships, class_name: 'ActiveStix::ReferenceObjectMarkingRelationship', foreign_key: 'stix_relationship_id'
8
+ has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_relationships
9
+
10
+
11
+ before_create do
12
+ self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
13
+ end
14
+
15
+ @@stix_map = {
16
+ 'bundle' => ActiveStix::Bundle,
17
+ 'attack-pattern' => ActiveStix::AttackPattern,
18
+ 'relationship' => ActiveStix::Relationship,
19
+ 'course-of-action' => ActiveStix::CourseOfAction,
20
+ 'identity' => ActiveStix::Identity,
21
+ 'intrusion-set' => ActiveStix::IntrusionSet,
22
+ 'malware' => ActiveStix::Malware,
23
+ 'tool' => ActiveStix::Tool,
24
+ 'marking-definition' => ActiveStix::MarkingDefinition,
25
+ 'report' => ActiveStix::Report,
26
+ 'campaign' => ActiveStix::Campaign,
27
+ 'indicator' => ActiveStix::Indicator
28
+ }
29
+
30
+ def self.ingest_json(obj)
31
+ #puts "Loc B: #{obj['id'].to_s}"
32
+ #puts "source: #{obj['source_ref']}"
33
+ #puts "target: #{obj['target_ref']}"
34
+ #pause = gets
35
+
36
+ src_type = obj['source_ref'].split('--')[0]
37
+ tgt_type = obj['target_ref'].split('--')[0]
38
+
39
+ src = @@stix_map[src_type].where("stix_id = ?", obj['source_ref']).first
40
+ tgt = @@stix_map[tgt_type].where("stix_id = ?", obj['target_ref']).first
41
+
42
+
43
+ relationship = find_or_create_by!(stix_id: obj['id'], source: src, target: tgt, relationship_type: obj['relationship_type'], source_type: @@stix_map[src_type].to_s, target_type: @@stix_map[tgt_type].to_s)
44
+
45
+ if obj.has_key?('description')
46
+ relationship.description = obj['description']
47
+ end
48
+
49
+ if obj.has_key?('object_marking_refs')
50
+ obj['object_marking_refs'].each do |mr|
51
+ # marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
52
+ # relationship.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingRelationship.find_by(stix_marking_definition_id: marking_definition.id, stix_relationship_id: relationship.id)
53
+ # todo
54
+ end
55
+ end
56
+
57
+ relationship.save
58
+ relationship
59
+ end
60
+
61
+ def self.relate(source, target, relationship_type)
62
+ find_or_create_by!(source: source, target: target, relationship_type: relationship_type)
63
+ end
64
+
65
+ def type
66
+ 'relationship'
67
+ end
68
+
69
+ def convert_to_json
70
+ {
71
+ :type => "relationship",
72
+ :id => stix_id,
73
+ :created => created_at.to_s,
74
+ :modified => updated_at.to_s,
75
+ :relationship_type => relationship_type,
76
+ :source_ref => source_ref.to_s,
77
+ :target_ref => target_ref.to_s,
78
+ :description => description
79
+ }
80
+ end
81
+
82
+ def as_stix
83
+
84
+ as_json(only: [:relationship_type]).tap do |hash|
85
+ hash["id"] = stix_id
86
+ hash["description"] = description if description
87
+ hash["type"] = type
88
+ hash["created"] = created_at.utc.iso8601(3)
89
+ hash["modified"] = created_at.utc.iso8601(3)
90
+ hash["source_ref"] = source.stix_id
91
+ hash["target_ref"] = target.stix_id
92
+ hash["spec_version"] = "2.0"
93
+ end
94
+ end
95
+ end
@@ -0,0 +1,93 @@
1
+
2
+ class ActiveStix::Report < ApplicationRecord
3
+
4
+ has_many :report_objects, primary_key: 'stix_id', foreign_key: 'report_ref'
5
+
6
+ has_many :markups, as: :labelable
7
+ has_many :labels, through: :markups
8
+
9
+ before_create do
10
+ self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
11
+ end
12
+
13
+
14
+ @@stix_map = {
15
+ 'bundle' => ActiveStix::Bundle,
16
+ 'attack-pattern' => ActiveStix::AttackPattern,
17
+ 'relationship' => ActiveStix::Relationship,
18
+ 'course-of-action' => ActiveStix::CourseOfAction,
19
+ 'identity' => ActiveStix::Identity,
20
+ 'intrusion-set' => ActiveStix::IntrusionSet,
21
+ 'malware' => ActiveStix::Malware,
22
+ 'tool' => ActiveStix::Tool,
23
+ 'marking-definition' => ActiveStix::MarkingDefinition,
24
+ 'report' => ActiveStix::Report,
25
+ 'campaign' => ActiveStix::Campaign,
26
+ 'indicator' => ActiveStix::Indicator
27
+ }
28
+
29
+ def type
30
+ 'report'
31
+ end
32
+
33
+ def self.ingest_json(obj)
34
+ report = find_or_create_by(stix_id:obj['id'], name:obj['name'], description:obj['description'], published:obj['published'])
35
+ if obj.has_key?('labels')
36
+ obj['labels'].each do | lab |
37
+ label = ActiveStix::Label.ingest_label('report-labels', lab)
38
+ report.labels << label unless ActiveStix::Markup.find_by(labelable: report, label: label)
39
+ end
40
+ end
41
+ report.save
42
+ report
43
+ end
44
+
45
+
46
+ def self.add_obj_refs(report_json)
47
+ report = find_by(stix_id: report_json['id'], name: report_json['name'])
48
+ if report_json.has_key?('object_refs')
49
+ report_json['object_refs'].each do |obj_refs|
50
+ report.add(obj_refs)
51
+ end
52
+ end
53
+ report.save
54
+ end
55
+
56
+
57
+ def add(stix_object)
58
+ unless includes?(stix_object)
59
+ #report_object = Bundle.find_or_create_object(stix_object) # todo using object prefix and stix map
60
+ #report_objects << report_object
61
+ #report_objects.create(stix_object_ref: stix_object, stix_object_type: obj_type)
62
+ obj_type_str = stix_object.split('--')[0]
63
+ #obj_type = @@stix_map[obj_type_str]
64
+ obj = @@stix_map[obj_type_str].where("stix_id = ?", stix_object).first
65
+ report_objects.create(stix_object: obj) unless report_objects.find_by(report_ref: stix_id, object_ref: obj)
66
+ end
67
+ end
68
+
69
+ #used by phishing report
70
+ def add_stix_object(stix_object)
71
+ unless includes?(stix_object)
72
+ report_objects.create(stix_object: stix_object)
73
+ end
74
+ end
75
+
76
+ def includes?(stix_object)
77
+ report_objects.where(object_ref: stix_object).any?
78
+ end
79
+
80
+ def as_stix(classification = nil, chess = nil)
81
+ as_json(only:[:name, :description]).tap do |hash|
82
+ hash["id"] = stix_id
83
+ hash["type"] = type
84
+ hash["description"] = description
85
+ hash["created"] = created_at.rfc3339(3)
86
+ hash["modified"] = updated_at.rfc3339(3)
87
+ hash["published"] = (published || updated_at).rfc3339(3)
88
+ hash["object_refs"] = report_objects.collect{|ro| ro.stix_object.stix_id}
89
+ hash["labels"] = labels.collect{|label| label.name}
90
+ end
91
+ end
92
+
93
+ end
@@ -0,0 +1,9 @@
1
+ class ActiveStix::ReportObject < ApplicationRecord
2
+ belongs_to :report, foreign_key: "report_ref", primary_key: "stix_id"
3
+ belongs_to :stix_object, polymorphic: true, foreign_key: "object_ref", foreign_type: :object_type, primary_key: "stix_id"
4
+
5
+ def convert_to_json
6
+ object_ref
7
+ end
8
+
9
+ end
@@ -0,0 +1,139 @@
1
+ class ActiveStix::ThreatActor < ApplicationRecord
2
+ has_many :identity, foreign_key: 'name'
3
+ has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
4
+ has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
5
+
6
+ before_create do
7
+ self.stix_id = "#{type}--#{SecureRandom.uuid}" if stix_id.blank?
8
+ end
9
+
10
+
11
+ def type
12
+ 'threat-actor'
13
+ end
14
+
15
+ def intrusion_set!
16
+ unless ActiveStix::Relationship.where(target: self, source_type: 'ActiveStix::IntrusionSet', relationship_type: "attributed-to").any?
17
+ intrusion_set = ActiveStix::IntrusionSet.create(name: name)
18
+ ActiveStix::Relationship.create(source: intrusion_set, target: self, relationship_type: "attributed-to")
19
+ end
20
+
21
+ end
22
+
23
+ def intrusion_sets
24
+ intrusion_sets = []
25
+ ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::IntrusionSet").each do |rel|
26
+ intrusion_sets << rel.source
27
+ end
28
+ intrusion_sets
29
+ end
30
+
31
+ def self.find_or_create_attribution(organization)
32
+ threat_actor = organization.threat_groups.first
33
+ if threat_actor.nil?
34
+ threat_actor = ActiveStix::ThreatActor.create(name: organization.name)
35
+ end
36
+
37
+ threat_actor.attribute_to(organization)
38
+ end
39
+
40
+ def flags=(f)
41
+ @flags = f
42
+ end
43
+
44
+ def classifications
45
+ batch = []
46
+ source_relationships
47
+ .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
48
+ next unless rel.target
49
+ rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
50
+ employee_rel.target.email_messages.includes(:classifications).each do |em|
51
+ em.eml.classifications.each do |c|
52
+ batch << c if c.motive
53
+ end
54
+ end
55
+ end
56
+ end
57
+ source_relationships
58
+ .where(target_type: "ActiveStix::Identity", relationship_type: "impersonates").collect do |rel|
59
+ next unless rel.target
60
+ rel.target.email_messages.includes(:classifications).each do |em|
61
+ em.eml.classifications.each do |c|
62
+ batch << c if c.motive
63
+ end
64
+ end
65
+ end
66
+ batch.flatten
67
+ end
68
+
69
+
70
+ def first_seen_date
71
+ first_email_message = nil
72
+ source_relationships
73
+ .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
74
+ next unless rel.target
75
+ rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
76
+ first_employee_email = employee_rel.target.email_messages.order("date ASC").limit(1).first
77
+ if first_employee_email
78
+ first_email_message = first_employee_email if first_email_message.nil? or first_employee_email.date < first_email_message.date
79
+ end
80
+ end
81
+ end
82
+ first_email_message ? first_email_message.date : 6.months.ago # todo these are hacky workarounds
83
+ end
84
+
85
+ def last_seen_date
86
+ last_email_message = nil
87
+ source_relationships
88
+ .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
89
+ next unless rel.target
90
+ rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
91
+ last_employee_email = employee_rel.target.email_messages.order("date DESC").limit(1).first
92
+ if last_employee_email
93
+ last_email_message = last_employee_email if last_email_message.nil? or last_employee_email.date > last_email_message.date
94
+ end
95
+ end
96
+ end
97
+ last_email_message ? last_email_message.date : 2.months.ago # todo these are hacky workarounds
98
+ end
99
+
100
+ def campaigns
101
+ c = []
102
+ ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::Campaign").each do |rel|
103
+ c << rel.source
104
+ end
105
+ c
106
+ end
107
+
108
+ def mail_server
109
+ ActiveStix::Relationship.where("relationship_type like 'related-to' and source_type like 'ActiveStix::ThreatActor' and target_type like 'ActiveStix::ObservedDatum'").first.target.cyber_observables.first.cyber_observable_object.mail_server
110
+ end
111
+
112
+ def as_stix
113
+
114
+ as_json(only: [:name]).tap do |hash|
115
+ hash["type"] = type
116
+ hash["created"] = created_at.utc.iso8601(3)
117
+ hash["modified"] = updated_at.utc.iso8601(3)
118
+ hash["id"] = stix_id
119
+ hash["labels"] = ['competitor']
120
+ hash["x_ased_dialogue_flags"] = [
121
+ {
122
+ "x_ased_date_discovered": "2019-10-03T12:02:26.216Z",
123
+ "x_ased_message_id": "a9b91592-73c7-463c-89a1-e57136406728",
124
+ "x_ased_browser": {
125
+ "value": "chrome",
126
+ "version": "11.2.1"
127
+ }
128
+ }
129
+ ] # todo move this
130
+ hash["spec_version"] = "2.0"
131
+ end
132
+
133
+ end
134
+
135
+ def attribute_to(identity)
136
+ ActiveStix::Relationship.relate(self, identity, "attributed-to")
137
+ end
138
+
139
+ end