Class: ActiveStix::Indicator

Inherits:

ApplicationRecord

• Object
• ActiveRecord::Base
• ApplicationRecord
• ActiveStix::Indicator

Defined in:

app/models/active_stix/indicator.rb

Class Method Summary

• .ingest_json(obj) ⇒ Object

Instance Method Summary

• #as_stix(classification = nil, chess = nil) ⇒ Object
• #attack_pattern_relationships ⇒ Object
• #attack_patterns ⇒ Object
• #type ⇒ Object

Class Method Details

.ingest_json(obj) ⇒ Object

# File 'app/models/active_stix/indicator.rb', line 11

def self.ingest_json(obj)
  indicator = find_or_create_by(stix_id:obj['id'], name:obj['name'], description:obj['description'], pattern:obj['pattern'], valid_from:obj['valid_from'])

  if obj.has_key?('labels')
    obj['labels'].each do | lab |
      label = ActiveStix::Label.ingest_label('indicator-labels', lab)
      indicator.labels << label unless ActiveStix::Markup.find_by(labelable: indicator, label: label)
    end
  end

  indicator.save
  indicator
end

Instance Method Details

#as_stix(classification = nil, chess = nil) ⇒ Object

# File 'app/models/active_stix/indicator.rb', line 46

def as_stix(classification = nil, chess = nil)
  as_json(only: [:name, :description, :pattern]).tap do |hash|
    hash["id"] = stix_id
    hash["type"] = type
    hash["description"] = description
    hash["created"] = created_at.rfc3339(3)
    hash["labels"] = ["malicious-activity"]
    hash["valid_from"] = (valid_from || updated_at).rfc3339(3)
    hash["modified"] = updated_at.rfc3339(3)
  end
end

#attack_pattern_relationships ⇒ Object

# File 'app/models/active_stix/indicator.rb', line 26

def attack_pattern_relationships
  relationships = []
  ActiveStix::Relationship.where(source: self, relationship_type: "uses", target_type: "ActiveStix::AttackPattern").or(
      ActiveStix::Relationship.where(source: self, relationship_type: "indicates", target_type: "ActiveStix::AttackPattern")
  ).each do |rel|
    relationships << rel
  end
  relationships
end

#attack_patterns ⇒ Object

# File 'app/models/active_stix/indicator.rb', line 36

def attack_patterns
  attack_pattern_relationships.collect {|rel| rel.target}
end

#type ⇒ Object

# File 'app/models/active_stix/indicator.rb', line 42

def type
  'indicator'
end