active_stix 0.1.21

data/app/models/active_stix/marking_definition.rb

@@ -0,0 +1,21 @@
+# todo
+class ActiveStix::MarkingDefinition < ApplicationRecord
+
+  def self.ingest_json(obj)
+    marking_def = find_or_create_by(stix_id:obj['id'])
+    marking_def
+  end
+
+  def self.create_by_id(id, parent_obj_id = nil)
+    if parent_obj_id == nil
+      mark_def = find_or_create_by(stix_id:id)
+    else
+      mark_def = find_or_create_by(stix_id:id, relationship_ref: parent_obj_id)
+    end
+    mark_def
+  end
+
+  def convert_to_json
+    stix_id
+  end
+end

data/app/models/active_stix/markup.rb

@@ -0,0 +1,6 @@
+module ActiveStix
+  class Markup < ApplicationRecord
+    belongs_to :label
+    belongs_to :labelable, polymorphic: true
+  end
+end

data/app/models/active_stix/object_marking.rb

@@ -0,0 +1,11 @@
+class ActiveStix::ObjectMarking < ApplicationRecord
+  # belongs_to :relationship, :class_name => 'ActiveStix::Relationship', foreign_key: :active_stix_relationship_id, primary_key: :active_stix_id
+  # belongs_to :marking_definition, :class_name => 'ActiveStix::MarkingDefinition', foreign_key: :active_stix_marking_defintion_id, primary_key: :active_stix_id
+  # todo
+
+  def self.string_ingest(marking_id, relationship_id)
+    marking_definition = ActiveStix::MarkingDefinition.find_or_create_by(stix_id: marking_id)
+    relationship = ActiveStix::Relationship.find_or_create_by(stix_id: relationship_id)
+    find_or_create_by(marking_definition:marking_definition, relationship:relationship)
+  end
+end

data/app/models/active_stix/observed_datum.rb

@@ -0,0 +1,67 @@
+module ActiveStix
+  class ObservedDatum < ApplicationRecord
+    has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
+    has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
+    has_many :cyber_observables, :class_name => 'ActiveStix::CyberObservable', foreign_key: 'observed_datum_ref', primary_key: 'stix_id'
+
+    before_create do
+      self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+    end
+
+    def type
+      'observed-data'
+    end
+
+    def mail_server
+      cyber_observables.first.mail_server
+    end
+
+    def self.wrap_object(object)
+      if object.observed_data.count > 0
+        update_observed_data(object)
+      else
+        create_new_observed_data(object)
+      end
+    end
+
+    def self.update_observed_data(object)
+      object.observed_data.each do |od|
+        od.update_attribute('last_observed', DateTime.now)
+      end
+    end
+
+    def number_observed
+      self.cyber_observables.count
+    end
+
+    def self.create_new_observed_data(object)
+      current_time = DateTime.now
+      od = ActiveStix::ObservedDatum.create(
+          first_observed: current_time,
+          last_observed: current_time
+      )
+      ActiveStix::CyberObservable.create(observed_datum: od, cyber_observable_object: object)
+    end
+
+
+    def as_stix
+      as_json(only: []).tap do |hash|
+        hash["id"] = stix_id
+        hash["type"] = type
+        hash["created"] = created_at.rfc3339(3)
+        hash["modified"] = updated_at.rfc3339(3)
+        object_dict = {}
+        cyber_observables.each_with_index {|co, i|
+          object_dict[i.to_s] = co.cyber_observable_object.as_stix
+        }
+
+        hash["first_observed"] = cyber_observables.order("created_at ASC").limit(1).first.created_at.rfc3339(3)
+        hash["last_observed"] = cyber_observables.order("created_at DESC").limit(1).last.created_at.rfc3339(3)
+        hash["number_observed"] = cyber_observables.count
+
+        hash["objects"] = object_dict
+        hash["spec_version"] = "2.0"
+      end
+    end
+  end
+end

data/app/models/active_stix/open_vocabulary.rb

@@ -0,0 +1,8 @@
+class ActiveStix::OpenVocabulary < ApplicationRecord
+  #belongs_to :labels, class_name: "ActiveStix::Label", foreign_key: :active_stix_open_vocabulary_id
+  has_many :labels
+
+  def convert_to_json
+    name
+  end
+end

data/app/models/active_stix/phase.rb

@@ -0,0 +1,41 @@
+class ActiveStix::Phase < ApplicationRecord
+  belongs_to :kill_chain
+  has_many :kill_chain_phases
+  has_many :attack_patterns, class_name: 'ActiveStix::AttackPattern', through: :kill_chain_phases, foreign_key: 'attack_pattern_ref', primary_key: 'stix_id'
+
+  @@rank_map = {
+      'initial-access' => 0,
+      'execution' => 1,
+      'persistence' => 2,
+      'privilege-escalation' => 3,
+      'defense-evasion' => 4,
+      'credential-access' => 5,
+      'discovery' => 6,
+      'lateral-movement' => 7,
+      'collection' => 8,
+      'command-and-control' => 9,
+      'exfiltration' => 10,
+      'impact' => 11
+  }
+
+  def self.ingest_json(obj)
+    kill_chain = ActiveStix::KillChain.find_or_create_by(name: obj['kill_chain_name'])
+    phase = kill_chain.phases.find_or_create_by(name: obj['phase_name'], rank:@@rank_map[obj['phase_name']])
+    phase
+  end
+
+  def as_stix
+    as_json(only: []).tap do |hash|
+      hash["phase_name"] = name
+      hash["kill_chain_name"] = kill_chain.name
+    end
+  end
+
+  def convert_to_json
+    {
+        :kill_chain_name => kill_chain.convert_to_json,
+        :phase_name => name
+    }
+  end
+
+end

data/app/models/active_stix/recipient.rb

@@ -0,0 +1,4 @@
+class ActiveStix::Recipient < ActiveRecord::Base
+  belongs_to :email_address
+  belongs_to :email_message
+end

data/app/models/active_stix/reference_item.rb

@@ -0,0 +1,4 @@
+class ActiveStix::ReferenceItem < ApplicationRecord
+  belongs_to :external_reference, :class_name => 'ActiveStix::ExternalReference', foreign_key: 'external_reference_id'
+  belongs_to :referrer, polymorphic: true
+end

data/app/models/active_stix/relationship.rb

@@ -0,0 +1,95 @@
+class ActiveStix::Relationship < ApplicationRecord
+  belongs_to :source, :polymorphic => true, foreign_key: 'source_ref', primary_key: 'stix_id'
+  belongs_to :target, :polymorphic => true, foreign_key: 'target_ref', primary_key: 'stix_id'
+  #has_many :marking_definitions, :class_name => 'ActiveStix::MarkingDefinition', foreign_key: 'relationship_ref', primary_key: 'stix_id'
+  #has_many :object_markings, :class_name => 'ActiveStix::ObjectMarking', foreign_key: 'stix_relationship_id', primary_key: 'stix_id'
+
+  has_many :reference_object_marking_relationships, class_name: 'ActiveStix::ReferenceObjectMarkingRelationship', foreign_key: 'stix_relationship_id'
+  has_many :marking_definitions, class_name: 'ActiveStix::MarkingDefinition', through: :reference_object_marking_relationships
+
+
+  before_create do
+    self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+
+  @@stix_map = {
+      'bundle' => ActiveStix::Bundle,
+      'attack-pattern' => ActiveStix::AttackPattern,
+      'relationship' => ActiveStix::Relationship,
+      'course-of-action' => ActiveStix::CourseOfAction,
+      'identity' => ActiveStix::Identity,
+      'intrusion-set' => ActiveStix::IntrusionSet,
+      'malware' => ActiveStix::Malware,
+      'tool' => ActiveStix::Tool,
+      'marking-definition' => ActiveStix::MarkingDefinition,
+      'report' => ActiveStix::Report,
+      'campaign' => ActiveStix::Campaign,
+      'indicator' => ActiveStix::Indicator
+  }
+
+  def self.ingest_json(obj)
+    #puts "Loc B: #{obj['id'].to_s}"
+    #puts "source: #{obj['source_ref']}"
+    #puts "target: #{obj['target_ref']}"
+    #pause = gets
+
+    src_type = obj['source_ref'].split('--')[0]
+    tgt_type = obj['target_ref'].split('--')[0]
+
+    src = @@stix_map[src_type].where("stix_id = ?", obj['source_ref']).first
+    tgt = @@stix_map[tgt_type].where("stix_id = ?", obj['target_ref']).first
+
+
+    relationship = find_or_create_by!(stix_id: obj['id'], source: src, target: tgt, relationship_type: obj['relationship_type'], source_type: @@stix_map[src_type].to_s, target_type: @@stix_map[tgt_type].to_s)
+
+    if obj.has_key?('description')
+      relationship.description = obj['description']
+    end
+
+    if obj.has_key?('object_marking_refs')
+      obj['object_marking_refs'].each do |mr|
+        # marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
+        # relationship.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingRelationship.find_by(stix_marking_definition_id: marking_definition.id, stix_relationship_id: relationship.id)
+        # todo
+      end
+    end
+
+    relationship.save
+    relationship
+  end
+
+  def self.relate(source, target, relationship_type)
+    find_or_create_by!(source: source, target: target, relationship_type: relationship_type)
+  end
+
+  def type
+    'relationship'
+  end
+
+  def convert_to_json
+    {
+        :type => "relationship",
+        :id => stix_id,
+        :created => created_at.to_s,
+        :modified => updated_at.to_s,
+        :relationship_type => relationship_type,
+        :source_ref => source_ref.to_s,
+        :target_ref => target_ref.to_s,
+        :description => description
+    }
+  end
+
+  def as_stix
+
+    as_json(only: [:relationship_type]).tap do |hash|
+      hash["id"] = stix_id
+      hash["description"] = description if description
+      hash["type"] = type
+      hash["created"] = created_at.utc.iso8601(3)
+      hash["modified"] = created_at.utc.iso8601(3)
+      hash["source_ref"] = source.stix_id
+      hash["target_ref"] = target.stix_id
+      hash["spec_version"] = "2.0"
+    end
+  end
+end

data/app/models/active_stix/report.rb

@@ -0,0 +1,93 @@
+
+class ActiveStix::Report < ApplicationRecord
+
+  has_many :report_objects, primary_key: 'stix_id', foreign_key: 'report_ref'
+
+  has_many :markups, as: :labelable
+  has_many :labels, through: :markups
+
+  before_create do
+    self.stix_id = "#{self.type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+
+
+  @@stix_map = {
+      'bundle' => ActiveStix::Bundle,
+      'attack-pattern' => ActiveStix::AttackPattern,
+      'relationship' => ActiveStix::Relationship,
+      'course-of-action' => ActiveStix::CourseOfAction,
+      'identity' => ActiveStix::Identity,
+      'intrusion-set' => ActiveStix::IntrusionSet,
+      'malware' => ActiveStix::Malware,
+      'tool' => ActiveStix::Tool,
+      'marking-definition' => ActiveStix::MarkingDefinition,
+      'report' => ActiveStix::Report,
+      'campaign' => ActiveStix::Campaign,
+      'indicator' => ActiveStix::Indicator
+  }
+
+  def type
+    'report'
+  end
+
+  def self.ingest_json(obj)
+    report = find_or_create_by(stix_id:obj['id'], name:obj['name'], description:obj['description'], published:obj['published'])
+    if obj.has_key?('labels')
+      obj['labels'].each do | lab |
+        label = ActiveStix::Label.ingest_label('report-labels', lab)
+        report.labels << label unless ActiveStix::Markup.find_by(labelable: report, label: label)
+      end
+    end
+    report.save
+    report
+  end
+
+
+  def self.add_obj_refs(report_json)
+    report = find_by(stix_id: report_json['id'], name: report_json['name'])
+    if report_json.has_key?('object_refs')
+      report_json['object_refs'].each do |obj_refs|
+        report.add(obj_refs)
+      end
+    end
+    report.save
+  end
+
+
+  def add(stix_object)
+    unless includes?(stix_object)
+      #report_object = Bundle.find_or_create_object(stix_object) # todo using object prefix and stix map
+      #report_objects << report_object
+      #report_objects.create(stix_object_ref: stix_object, stix_object_type: obj_type)
+      obj_type_str = stix_object.split('--')[0]
+      #obj_type = @@stix_map[obj_type_str]
+      obj = @@stix_map[obj_type_str].where("stix_id = ?", stix_object).first
+      report_objects.create(stix_object: obj) unless report_objects.find_by(report_ref: stix_id, object_ref: obj)
+    end
+  end
+
+  #used by phishing report
+  def add_stix_object(stix_object)
+    unless includes?(stix_object)
+      report_objects.create(stix_object: stix_object)
+    end
+  end
+
+  def includes?(stix_object)
+    report_objects.where(object_ref: stix_object).any?
+  end
+
+  def as_stix(classification = nil, chess = nil)
+    as_json(only:[:name, :description]).tap do |hash|
+      hash["id"] = stix_id
+      hash["type"] = type
+      hash["description"] = description 
+      hash["created"] = created_at.rfc3339(3)
+      hash["modified"] = updated_at.rfc3339(3)
+      hash["published"] = (published || updated_at).rfc3339(3)
+      hash["object_refs"] = report_objects.collect{|ro| ro.stix_object.stix_id}
+      hash["labels"] = labels.collect{|label| label.name}
+    end
+  end
+
+end

data/app/models/active_stix/report_object.rb

@@ -0,0 +1,9 @@
+class ActiveStix::ReportObject < ApplicationRecord
+  belongs_to :report, foreign_key: "report_ref", primary_key: "stix_id"
+  belongs_to :stix_object, polymorphic: true, foreign_key: "object_ref", foreign_type: :object_type, primary_key: "stix_id"
+
+  def convert_to_json
+    object_ref
+  end
+
+end

data/app/models/active_stix/threat_actor.rb

@@ -0,0 +1,139 @@
+class ActiveStix::ThreatActor < ApplicationRecord
+  has_many :identity, foreign_key: 'name'
+  has_many :source_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'source_ref' #relationships where this class is the source
+  has_many :target_relationships, class_name: 'ActiveStix::Relationship', primary_key: 'stix_id', foreign_key: 'target_ref' #relationships where this class is the target
+
+  before_create do
+    self.stix_id = "#{type}--#{SecureRandom.uuid}" if stix_id.blank?
+  end
+
+
+  def type
+    'threat-actor'
+  end
+
+  def intrusion_set!
+    unless ActiveStix::Relationship.where(target: self, source_type: 'ActiveStix::IntrusionSet', relationship_type: "attributed-to").any?
+      intrusion_set = ActiveStix::IntrusionSet.create(name: name)
+      ActiveStix::Relationship.create(source: intrusion_set, target: self, relationship_type: "attributed-to")
+    end
+
+  end
+
+  def intrusion_sets
+    intrusion_sets = []
+    ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::IntrusionSet").each do |rel|
+      intrusion_sets << rel.source
+    end
+    intrusion_sets
+  end
+
+  def self.find_or_create_attribution(organization)
+    threat_actor = organization.threat_groups.first
+    if threat_actor.nil?
+      threat_actor = ActiveStix::ThreatActor.create(name: organization.name)
+    end
+
+    threat_actor.attribute_to(organization)
+  end
+
+  def flags=(f)
+    @flags = f
+  end
+
+  def classifications
+    batch = []
+    source_relationships
+        .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
+      next unless rel.target
+      rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
+        employee_rel.target.email_messages.includes(:classifications).each do |em|
+          em.eml.classifications.each do |c|
+            batch << c if c.motive
+          end
+        end
+      end
+    end
+    source_relationships
+        .where(target_type: "ActiveStix::Identity", relationship_type: "impersonates").collect do |rel|
+      next unless rel.target
+      rel.target.email_messages.includes(:classifications).each do |em|
+        em.eml.classifications.each do |c|
+          batch << c if c.motive
+        end
+      end
+    end
+    batch.flatten
+  end
+
+
+  def first_seen_date
+    first_email_message = nil
+    source_relationships
+        .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
+      next unless rel.target
+      rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
+        first_employee_email = employee_rel.target.email_messages.order("date ASC").limit(1).first
+        if first_employee_email
+          first_email_message = first_employee_email if first_email_message.nil? or first_employee_email.date < first_email_message.date
+        end
+      end
+    end
+    first_email_message ? first_email_message.date : 6.months.ago # todo these are hacky workarounds
+  end
+
+  def last_seen_date
+    last_email_message = nil
+    source_relationships
+        .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
+      next unless rel.target
+      rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
+        last_employee_email = employee_rel.target.email_messages.order("date DESC").limit(1).first
+        if last_employee_email
+          last_email_message = last_employee_email if last_email_message.nil? or last_employee_email.date > last_email_message.date
+        end
+      end
+    end
+    last_email_message ? last_email_message.date : 2.months.ago # todo these are hacky workarounds
+  end
+
+  def campaigns
+    c = []
+    ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::Campaign").each do |rel|
+      c << rel.source
+    end
+    c
+  end
+
+  def mail_server
+    ActiveStix::Relationship.where("relationship_type like 'related-to' and source_type like 'ActiveStix::ThreatActor' and target_type like 'ActiveStix::ObservedDatum'").first.target.cyber_observables.first.cyber_observable_object.mail_server
+  end
+
+  def as_stix
+
+    as_json(only: [:name]).tap do |hash|
+      hash["type"] = type
+      hash["created"] = created_at.utc.iso8601(3)
+      hash["modified"] = updated_at.utc.iso8601(3)
+      hash["id"] = stix_id
+      hash["labels"] = ['competitor']
+      hash["x_ased_dialogue_flags"] = [
+          {
+              "x_ased_date_discovered": "2019-10-03T12:02:26.216Z",
+              "x_ased_message_id": "a9b91592-73c7-463c-89a1-e57136406728",
+              "x_ased_browser": {
+                  "value": "chrome",
+                  "version": "11.2.1"
+              }
+          }
+      ] # todo move this
+      hash["spec_version"] = "2.0"
+    end
+
+  end
+
+  def attribute_to(identity)
+    ActiveStix::Relationship.relate(self, identity, "attributed-to")
+  end
+
+end