Class: ActiveStix::Identity

Inherits:
ApplicationRecord show all
Defined in:
app/models/active_stix/identity.rb

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.employ(individual, organization) ⇒ Object 



121
122
123
124
125
126
127
 
# File 'app/models/active_stix/identity.rb', line 121

def self.employ(individual, organization)
  if individual.employers.include?(organization)
    individual.target_relationships.where(source_ref: organization.stix_id, relationship_type: "employs")
  else
    ActiveStix::Relationship.relate(organization, individual, "employs")
  end
end

.find_from_contact_information(info, contactable = ActiveStix::Identity.all) ⇒ Object 



23
24
25
26
27
28
 
# File 'app/models/active_stix/identity.rb', line 23

def self.find_from_contact_information(info, contactable=ActiveStix::Identity.all)
  info.keys.each do |key|
    contactable = contactable.where("contact_information -> '#{key}' ? :values", values: info[key])
  end
  contactable
end

.ingest_json(obj) ⇒ Object 



52
53
54
55
56
57
58
59
60
61
62
 
# File 'app/models/active_stix/identity.rb', line 52

def self.ingest_json(obj)
  identity = find_or_create_by(stix_id: obj['id'], name: obj['name'], identity_class: obj['identity_class'])
  if obj.has_key?('object_marking_refs')
    # obj['object_marking_refs'].each do |mr|
    #   marking_definition = ActiveStix::MarkingDefinition.create_by_id(mr)
    #   identity.marking_definitions << marking_definition unless ActiveStix::ReferenceObjectMarkingIdentity.find_by(stix_marking_definition_id: marking_definition.id, stix_identity_id: identity.id)
    # end todo
  end
  identity.save
  identity
end

.organizationsObject 



137
138
139
 
# File 'app/models/active_stix/identity.rb', line 137

def self.organizations
  where(identity_class: 'organization').all
end

Instance Method Details

#as_stixObject 



64
65
66
67
68
69
70
71
72
73
74
 
# File 'app/models/active_stix/identity.rb', line 64

def as_stix
  as_json(only: [:first_observed, :number_observed, :last_observed]).tap do |hash|
    hash["id"] = stix_id
    hash["name"] = email_addresses.any? ? email_addresses.first.value : stix_id
    hash["type"] = type
    hash["created"] = created_at.rfc3339(3)
    hash["modified"] = updated_at.rfc3339(3)
    hash["identity_class"] = identity_class
    hash["spec_version"] = "2.0"
  end
end

#attack_patternsObject 



87
88
89
90
91
92
93
 
# File 'app/models/active_stix/identity.rb', line 87

def attack_patterns
  return [] unless identity_class == "organization"
  target_relationships
      .where(source_type: "ActiveStix::AttackPattern", relationship_type: "targets").collect do |rel|
    rel.source
  end
end

#corpus(mailbox) ⇒ Object 



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'app/models/active_stix/identity.rb', line 30

def corpus(mailbox)

  dirname = "#{mailbox}_corpus_" + name.to_s + "_#{Time.now.to_i}"
  zip_file_name = Dir.pwd + "/tmp/" + dirname + ".zip"
  messages = case mailbox
             when 'sent'
               email_messages.includes(:eml)
             when 'received'
               to_refs.collect {|tr| tr.email_message}
             else
               []
             end

  Zip::File.open(zip_file_name, ::Zip::File::CREATE) do |zipfile|
    zipfile.mkdir(dirname)
    messages.each_with_index do |em, i|
      zipfile.get_output_stream("#{dirname}/#{i}.eml") {|f| f.puts em.eml.raw_source if em.eml}
    end
  end
  zip_file_name
end

#employeesObject 



133
134
135
 
# File 'app/models/active_stix/identity.rb', line 133

def employees
  source_relationships.where(relationship_type: "employs").all.collect {|rel| rel.target}
end

#employersObject 



129
130
131
 
# File 'app/models/active_stix/identity.rb', line 129

def employers
  target_relationships.where(relationship_type: "employs").all.collect {|rel| rel.source}
end

#individual_threat_classObject 



113
114
115
116
117
118
 
# File 'app/models/active_stix/identity.rb', line 113

def individual_threat_class
  return nil unless identity_class == "individual"
  return "threat" unless employers.find {|employer| employer.threat_group?}.nil?
  return "verified" if known_person or employers.find {|employer| employer.verified?}
  return "unverified"
end

#organizational_threat_classObject 



80
81
82
83
84
85
 
# File 'app/models/active_stix/identity.rb', line 80

def organizational_threat_class
  return nil unless identity_class == "organization"
  return "threat" if threat_group?
  return "verified" if legitimate_organization
  return "unverified"
end

#threat_classObject 



76
77
78
 
# File 'app/models/active_stix/identity.rb', line 76

def threat_class
  organizational_threat_class or individual_threat_class
end

#threat_group?Boolean

Returns:

  • (Boolean) 


103
104
105
106
 
# File 'app/models/active_stix/identity.rb', line 103

def threat_group?
  return false unless identity_class == "organization"
  threat_groups.any?
end

#threat_groupsObject 



95
96
97
98
99
100
101
 
# File 'app/models/active_stix/identity.rb', line 95

def threat_groups
  return [] unless identity_class == "organization"
  target_relationships
      .where(source_type: "ActiveStix::ThreatActor", relationship_type: "attributed-to").collect do |rel|
    rel.source
  end.compact
end

#to_refsObject 



19
20
21
 
# File 'app/models/active_stix/identity.rb', line 19

def to_refs
  ActiveStix::ToRef.where("stix_email_address_id in (#{email_addresses.collect(&:id).join(", ")})")
end

#typeObject 



15
16
17
 
# File 'app/models/active_stix/identity.rb', line 15

def type
  'identity'
end

#verified?Boolean

Returns:

  • (Boolean) 


108
109
110
111
 
# File 'app/models/active_stix/identity.rb', line 108

def verified?
  return false unless identity_class == "organization"
  known_person or legitimate_organization
end