Skip to content

Enriched Indicator

psengine.stix2.enriched_indicator.EnrichedIndicator 

EnrichedIndicator(
    name: str,
    type_: str,
    evidence_details: list,
    link_hits: list = None,
    risk_mapping: list = None,
    ai_insights: dict = None,
    author: Identity = None,
    confidence: int = None,
    create_indicator: bool = True,
    create_obs: bool = True,
    tlp_marking: str = 'amber',
)

Bases: IndicatorEntity

Class for converting Indicator + risk score + links to OpenCTI bundle.

RAISES DESCRIPTION
STIX2TransformError

If transformation fails.
PARAMETER DESCRIPTION
name

An indicator value.

TYPE: str

type_

A Recorded Future type of indicator.

TYPE: str

evidence_details

Risk rules and evidence details.

TYPE: list

link_hits

A list of lists for link hits.

TYPE: list DEFAULT: None

risk_mapping

A risk rule to TTP mapping.

TYPE: list DEFAULT: None

ai_insights

AI insights for IOC in Recorded Future.

TYPE: dict DEFAULT: None

author

A Recorded Future Identity.

TYPE: Identity DEFAULT: None

confidence

A confidence score of the indicator.

TYPE: int DEFAULT: None

create_indicator

A flag that governs if the indicator should be created.

TYPE: bool DEFAULT: True

create_obs

A flag that governs if the observable should be created.

TYPE: bool DEFAULT: True

tlp_marking

The TLP level. Defaults to amber.

TYPE: str DEFAULT: 'amber'

Source code in psengine/stix2/enriched_indicator.py 
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
def __init__(
    self,
    name: Annotated[str, Doc('An indicator value.')],
    type_: Annotated[str, Doc('A Recorded Future type of indicator.')],
    evidence_details: Annotated[list, Doc('Risk rules and evidence details.')],
    link_hits: Annotated[list, Doc('A list of lists for link hits.')] = None,
    risk_mapping: Annotated[list, Doc('A risk rule to TTP mapping.')] = None,
    ai_insights: Annotated[dict, Doc('AI insights for IOC in Recorded Future.')] = None,
    author: Annotated[stix2.Identity, Doc('A Recorded Future Identity.')] = None,
    confidence: Annotated[int, Doc('A confidence score of the indicator.')] = None,
    create_indicator: Annotated[
        bool, Doc('A flag that governs if the indicator should be created.')
    ] = True,
    create_obs: Annotated[
        bool, Doc('A flag that governs if the observable should be created.')
    ] = True,
    tlp_marking: Annotated[str, Doc('The TLP level. Defaults to amber.')] = 'amber',
):
    """Indicator container. Contains indicator, observable, and relationship between them.

    Raises:
        STIX2TransformError: If transformation fails.
    """
    link_hits = link_hits or []
    risk_mapping = risk_mapping or []
    ai_insights = ai_insights or {}
    evidence_details = [e if isinstance(e, dict) else e.json() for e in evidence_details]
    labels = ['rf:' + (rule.get('Rule') or rule.get('rule')) for rule in evidence_details]

    description = self._format_description(ai_insights)
    super().__init__(
        name=name,
        type_=type_,
        confidence=confidence,
        create_indicator=create_indicator,
        create_obs=create_obs,
        labels=labels,
        description=description,
        tlp_marking=tlp_marking,
        author=author,
    )

    self._add_risk_score_as_note(confidence)

    for ttp in risk_mapping:
        self._add_ttp(ttp)
    for rule in evidence_details:
        self._add_rule(rule)

    for hit in link_hits:
        self._add_link(hit)

author instance-attribute 

author = author

bundle property 

bundle: Bundle

Creates STIX2 bundle.

RETURNS DESCRIPTION
Bundle

stix2.v21.Bundle: Bundle

confidence instance-attribute 

confidence = confidence

description instance-attribute 

description = description

indicator instance-attribute 

indicator = None

labels instance-attribute 

labels = labels

name instance-attribute 

name = name

observable instance-attribute 

observable = None

relationship instance-attribute 

relationship = None

stix_obj instance-attribute 

stix_obj = None

stix_objects instance-attribute 

stix_objects = []

tlp instance-attribute 

tlp = tlp_marking

type instance-attribute 

type = type_

__eq__ 

__eq__(other) -> bool

Verify if two STIX Objects are the same.

Source code in psengine/stix2/base_stix_entity.py 
49
50
51
def __eq__(self, other) -> bool:
    """Verify if two STIX Objects are the same."""
    return self._generate_id() == other._generate_id()

__hash__ 

__hash__() -> int

Hash for set function.

Source code in psengine/stix2/base_stix_entity.py 
53
54
55
def __hash__(self) -> int:
    """Hash for set function."""
    return hash(self._generate_id())

__str__ 

__str__() -> str

String representation of entity.

Source code in psengine/stix2/base_stix_entity.py 
38
39
40
def __str__(self) -> str:
    """String representation of entity."""
    return f'Base STIX Entity: {self.name}, Author Name: {self.author.name}'

create_stix_object 

create_stix_object() -> None

Creates STIX objects from object attributes.

Source code in psengine/stix2/base_stix_entity.py 
42
43
def create_stix_object(self) -> None:
    """Creates STIX objects from object attributes."""