ioc_writer package

Subpackages

• ioc_writer.managers package
  • Submodules
  • ioc_writer.managers.downgrade_11 module
  • ioc_writer.managers.upgrade_10 module
  • Module contents
• ioc_writer.utils package
  • Submodules
  • ioc_writer.utils.xmlutils module
  • Module contents

Submodules

ioc_writer.ioc_api module

class ioc_writer.ioc_api.IOC(fn=None, name=None, description='Automatically generated IOC', author='IOC_api', links=None, keywords=None, iocid=None)

Bases: object

Class for easy creation and manipulation of IOCs. Attributes are populated from a file or a blank IOC is created.

Useful class attributes: * iocid - Unique identifier for the IOC * metadata - The metadate node * parameters - The parameters node * top_level_indicator - The Top Level Indicator node, typically a OR node for a valid MIR IOC. * root - The root node of the lxml.ElementTree

Parameters:

• fn – This is a path to a file to open, or a string containing XML representing an IOC.
• name – string, Name of the ioc
• description – string, description of the ioc
• author – string, author name/email address
• links – ist of tuples. Each tuple should be in the form (rel, href, value).
• keywords – string. This is normally a space delimited string of values that may be used as keywords
• iocid – GUID for the IOC. This should not be specified under normal circumstances.

add_link(rel, value, href=None)

Add a Link metadata element to the IOC.

Parameters:

• rel – Type of the link.
• value – Value of the link text.
• href – A href value assigned to the link.

Returns:

True

add_parameter(indicator_id, content, name='comment', ptype='string')

Add a a parameter to the IOC.

Parameters:

• indicator_id – The unique Indicator/IndicatorItem id the parameter is associated with.
• content – The value of the parameter.
• name – The name of the parameter.
• ptype – The type of the parameter content.

Returns:

True

Raises:

IOCParseError if the indicator_id is not associated with a Indicator or IndicatorItem in the IOC.

static make_ioc(name=None, description='Automatically generated IOC', author='IOC_api', links=None, keywords=None, iocid=None)

This generates all parts of an IOC, but without any definition.

This is a helper function used by __init__.

Parameters:

• name – string, Name of the ioc
• description – string, description of the ioc
• author – string, author name/email address
• links – ist of tuples. Each tuple should be in the form (rel, href, value).
• keywords – string. This is normally a space delimited string of values that may be used as keywords
• iocid – GUID for the IOC. This should not be specified under normal circumstances.

Returns:

a tuple containing three elementTree Element objects #. The root, contains the entire IOC itself. #. The top level OR indicator, allows the user to add additional IndicatorItem or Indicator nodes to the IOC easily. #. The third element, the parameters node, allows the user to quickly parse the parameters.

static open_ioc(fn)

Opens an IOC file, or XML string. Returns the root element, top level indicator element, and parameters element. If the IOC or string fails to parse, an IOCParseError is raised.

This is a helper function used by __init__.

Parameters:fn – This is a path to a file to open, or a string containing XML representing an IOC. Returns:a tuple containing three elementTree Element objects: #. The root, contains the entire IOC itself. #. The top level OR indicator, allows the user to add additional IndicatorItem or Indicator nodes to the IOC easily. #. The third element, the parameters node, allows the user to quickly parse the parameters.

remove_description()

Removes the description node from the metadata node, if present.

Returns:Returns True if the description node is removed. Returns False if the node is not present.

remove_indicator(nid, prune=False)

Removes a Indicator or IndicatorItem node from the IOC. By default, if nodes are removed, any children nodes are inherited by the removed node. It has the ability to delete all children Indicator and IndicatorItem nodes underneath an Indicator node if the ‘prune’ argument is set.

This will not remove the top level Indicator node from an IOC. If the id value has been reused within the IOC, this will remove the first node which contains the id value.

This also removes any parameters associated with any nodes that are removed.

Parameters:

• nid – The Indicator/@id or IndicatorItem/@id value indicating a specific node to remove.
• prune – Remove all children of the deleted node. If a Indicator node is removed and prune is set to False, the children nodes will be promoted to be children of the removed nodes’ parent.

Returns:

True if nodes are removed, False otherwise.

remove_link(rel, value=None, href=None)

Removes link nodes based on the function arguments.

This can remove link nodes based on the following combinations of arguments:

link/@rel link/@rel & link/text() link/@rel & link/@href link/@rel & link/text() & link/@href

Parameters:

• rel – link/@rel value to remove. Required.
• value – link/text() value to remove. This is used in conjunction with link/@rel.
• href – link/@href value to remove. This is used in conjunction with link/@rel.

Returns:

Return the number of link nodes removed, or False if no nodes are removed.

remove_name()

Removes the name (short_description node) from the metadata node, if present.

Returns:True if the node is removed. False is the node is node is not present.

remove_parameter(param_id=None, name=None, ref_id=None)

Removes parameters based on function arguments.

This can remove parameters based on the following param values:

param/@id param/@name param/@ref_id

Each input is mutually exclusive. Calling this function with multiple values set will cause an IOCParseError

exception. Calling this function without setting one value will raise an exception.

Parameters:

• param_id – The id of the parameter to remove.
• name – The name of the parameter to remove.
• ref_id – The IndicatorItem/Indicator id of the parameter to remove.

Returns:

Number of parameters removed.

set_created_date(date=None)

Set the created date of a IOC to the current date. User may specify the date they want to set as well.

Parameters:date – Date value to set the created date to. This should be in the xsdDate form. This defaults to the current date if it is not provided. xsdDate form: YYYY-MM-DDTHH:MM:SS Returns:True Raises:IOCParseError if date format is not valid.

set_lastmodified_date(date=None)

Set the last modified date of a IOC to the current date. User may specify the date they want to set as well.

Parameters:date – Date value to set the last modified date to. This should be in the xsdDate form. This defaults to the current date if it is not provided. xsdDate Form: YYYY-MM-DDTHH:MM:SS Returns:True Raises:IOCParseError if date format is not valid.

set_published_date(date=None)

Set the published date of a IOC to the current date. User may specify the date they want to set as well.

Parameters:date – Date value to set the published date to. This should be in the xsdDate form. This defaults to the current date if it is not provided. xsdDate Form: YYYY-MM-DDTHH:MM:SS Returns:True Raises:IOCParseError if date format is not valid.

update_description(description)

Update the description) of an IOC

This creates the description node if it is not present. :param description: Value to set the description too :return: True

update_link_rel_based(old_rel, new_rel=None, new_text=None, single_link=False)

Update link nodes, based on the existing link/@rel values.

This requires specifying a link/@rel value to update, and either a new link/@rel value, or a new link/text() value for all links which match the link/@rel value. Optionally, only the first link which matches the link/@rel value will be modified.

Parameters:

• old_rel – The link/@rel value used to select link nodes to update
• new_rel – The new link/@rel value
• new_text – The new link/text() value
• single_link – Determine if only the first, or multiple, linkes are modified.

Returns:

True, unless there are no links with link[@rel=’old_rel’]

update_link_rewrite(old_rel, old_text, new_text, single_link=False)

Rewrite the text() value of a link based on the link/@rel and link/text() value.

This is similar to update_link_rel_based but users link/@rel AND link/text() values to determine which links have their link/@text() values updated.

Parameters:

• old_rel – The link/@rel value used to select link nodes to update.
• old_text – The link/text() value used to select link nodes to update.
• new_text – The new link/text() value to set on link nodes.
• single_link – Determine if only the first, or multiple, linkes are modified.

Returns:

True, unless there are no links with link/[@rel=’old_rel’ and text()=’old_text’]

update_name(name)

Update the name (short description) of an IOC

This creates the short description node if it is not present.

Parameters:name – Value to set the short description too Returns:

update_parameter(parameter_id, content=None, name=None, param_type=None)

Updates the parameter attached to an Indicator or IndicatorItem node.

All inputs must be strings or unicode objects.

Parameters:

• parameter_id – The unique id of the parameter to modify
• content – The value of the parameter.
• name – The name of the parameter.
• param_type – The type of the parameter content.

Returns:

True, unless none of the optional arguments are supplied

Raises:

IOCParseError if the parameter id is not present in the IOC.

write_ioc_to_file(output_dir=None, force=False)

Serialize the IOC to a .ioc file.

Parameters:

• output_dir – Directory to write the ioc out to. default is the current working directory.
• force – If specified, will not validate the root node of the IOC is ‘OpenIOC’.

Returns:

write_ioc_to_string(force=False)

Serialize the IOC to a string.

Parameters:force – If specified, will not validate the root node of the IOC is ‘OpenIOC’. Returns:XML String.

exception ioc_writer.ioc_api.IOCParseError

Bases: Exception

ioc_writer.ioc_api.get_top_level_indicator_node(root_node)

This returns the first top level Indicator node under the criteria node.

Parameters:root_node – Root node of an etree. Returns:an elementTree Element item, or None if no item is found.

ioc_writer.ioc_api.make_indicator_node(operator, nid=None)

This makes a Indicator node element. These allow the construction of a logic tree within the IOC.

Parameters:

• operator – String ‘AND’ or ‘OR’. The constants ioc_api.OR and ioc_api.AND may be used as well.
• nid – This is used to provide a GUID for the Indicator. The ID should NOT be specified under normal circumstances.

Returns:

elementTree element

ioc_writer.ioc_api.make_indicatoritem_node(condition, document, search, content_type, content, preserve_case=False, negate=False, context_type='mir', nid=None)

This makes a IndicatorItem element. This contains the actual threat intelligence in the IOC.

param condition:  This is the condition of the item (‘is’, ‘contains’, ‘matches’, etc). The following contants in ioc_api may be used:

Constant	Meaning
ioc_api.IS	Exact String match.
ioc_api.CONTAINS	Substring match.
ioc_api.MATCHES	Regex match.
ioc_api.STARTS_WITH	String match at the beginning of a string.
ioc_api.ENDS_WITH	String match at the end of a string.
ioc_api.GREATER_THAN	Integer match indicating a greater than (>) operation.
ioc_api.LESS_THAN	Integer match indicator a less than (<) operation.

param document:Denotes the type of document to look for the encoded artifact in. param search:Specifies what attribute of the document type the encoded value is. param content_type:  This is the display type of the item. This is normally derived from the iocterm for the search value. param content:The threat intelligence that is being encoded. param preserve_case:  Specifiy that the content should be treated in a case sensitive manner. param negate:Specifify that the condition is negated. An example of this is: @condition = ‘is’ & @negate = ‘true’ would be equal to the @condition = ‘isnot’ in OpenIOC 1.0. param context_type:  Gives context to the document/search information. param nid:This is used to provide a GUID for the IndicatorItem. The ID should NOT be specified under normal circumstances. return:an elementTree Element item

ioc_writer.ioc_api.write_ioc(root, output_dir=None, force=False)

Serialize an IOC, as defined by a set of etree Elements, to a .IOC file.

Parameters:

• root – etree Element to write out. Should have the tag ‘OpenIOC’
• output_dir – Directory to write the ioc out to. default is current working directory.
• force – If set, skip the root node tag check.

Returns:

True, unless an error occurs while writing the IOC.

ioc_writer.ioc_api.write_ioc_string(root, force=False)

Serialize an IOC, as defined by a set of etree Elements, to a String. :param root: etree Element to serialize. Should have the tag ‘OpenIOC’ :param force: Skip the root node tag check. :return:

ioc_writer.ioc_common module

ioc_writer.ioc_common.make_dnsentryitem_recordname(dns_name, condition='contains', negate=False, preserve_case=False)

Create a node for DnsEntryItem/RecordName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_driveritem_deviceitem_devicename(device_name, condition='is', negate=False, preserve_case=False)

Create a node for DriverItem/DeviceItem/DeviceName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_driveritem_drivername(driver_name, condition='contains', negate=False, preserve_case=False)

Create a node for DriverItem/DriverName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_eventlogitem_eid(eid, condition='is', negate=False)

Create a node for EventLogItem/EID

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_eventlogitem_log(log, condition='is', negate=False, preserve_case=False)

Create a node for EventLogItem/log

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_eventlogitem_message(message, condition='contains', negate=False, preserve_case=False)

Create a node for EventLogItem/message

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_fileattributes(attributes, condition='contains', negate=False, preserve_case=False)

Create a node for FileItem/FileAttributes

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_fileextension(extension, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/FileExtension

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_filename(filename, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/FileName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_filepath(filepath, condition='contains', negate=False, preserve_case=False)

Create a node for FileItem/FilePath

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_fullpath(fullpath, condition='contains', negate=False, preserve_case=False)

Create a node for FileItem/FullPath

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_md5sum(md5, condition='is', negate=False)

Create a node for FileItem/Md5sum

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_detectedanomalies_string(anomaly, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/DetectedAnomalies/string

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_detectedentrypointsignature_name(entrypoint_name, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/DetectedEntryPointSignature/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_digitalsignature_signatureexists(sig_exists, condition='is', negate=False)

Create a node for FileItem/PEInfo/DigitalSignature/SignatureExists

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_digitalsignature_signatureverified(sig_verified, condition='is', negate=False)

Create a node for FileItem/PEInfo/DigitalSignature/SignatureVerified

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_exports_dllname(dll_name, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/Exports/DllName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_exports_exportedfunctions_string(export_function, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/Exports/ExportedFunctions/string

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_exports_numberoffunctions(function_count, condition='is', negate=False)

Create a node for FileItem/PEInfo/Exports/NumberOfFunctions

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_importedmodules_module_importedfunctions_string(imported_function, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_importedmodules_module_name(imported_module, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/ImportedModules/Module/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_petimestamp(compile_time, condition='is', negate=False)

Create a node for FileItem/PEInfo/PETimeStamp

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_resourceinfolist_resourceinfoitem_name(resource_name, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_sections_section_name(section_name, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/Sections/Section/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_type(petype, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/Type

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_peinfo_versioninfoitem(key, value, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/PEInfo/VersionInfoList/VersionInfoItem/ + key name

No validation of the key is performed.

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_sizeinbytes(filesize, condition='is', negate=False)

Create a node for FileItem/SizeInBytes

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_streamlist_stream_name(stream_name, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/StreamList/Stream/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_stringlist_string(file_string, condition='contains', negate=False, preserve_case=False)

Create a node for FileItem/StringList/string

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_fileitem_username(file_owner, condition='is', negate=False, preserve_case=False)

Create a node for FileItem/Username

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_hookitem_hookedfunction(hooked_function, condition='is', negate=False, preserve_case=False)

Create a node for HookItem/HookedFunction

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_hookitem_hookingmodule(hooking_module, condition='contains', negate=False, preserve_case=False)

Create a node for HookItem/HookingModule

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_portitem_remoteip(remote_ip, condition='is', negate=False)

Create a node for PortItem/remoteIP

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_portitem_remoteport(remote_port, condition='is', negate=False)

Create a node for PortItem/remotePort

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_prefetchitem_accessedfilelist_accessedfile(accessed_file, condition='contains', negate=False, preserve_case=False)

Create a node for PrefetchItem/AccessedFileList/AccessedFile

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_prefetchitem_applicationfilename(application_filename, condition='is', negate=False, preserve_case=False)

Create a node for PrefetchItem/ApplicationFileName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_prefetchitem_applicationfullpath(application_fullpath, condition='contains', negate=False, preserve_case=False)

Create a node for PrefetchItem/ApplicationFullPath

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_arguments(arguments, condition='contains', negate=False, preserve_case=False)

Create a node for ProcessItem/arguments

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_handlelist_handle_name(handle_name, condition='contains', negate=False, preserve_case=False)

Create a node for ProcessItem/HandleList/Handle/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_name(name, condition='is', negate=False, preserve_case=False)

Create a node for ProcessItem/name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_path(path, condition='contains', negate=False, preserve_case=False)

Create a node for ProcessItem/path

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_portlist_portitem_remoteip(remote_ip, condition='is', negate=False)

Create a node for ProcessItem/PortList/PortItem/remoteIP

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_sectionlist_memorysection_name(section_name, condition='contains', negate=False, preserve_case=False)

Create a node for ProcessItem/SectionList/MemorySection/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_sectionlist_memorysection_peinfo_exports_exportedfunctions_string(export_function, condition='is', negate=False, preserve_case=False)

Create a node for ProcessItem/SectionList/MemorySection/PEInfo/Exports/ExportedFunctions/string

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_stringlist_string(string, condition='contains', negate=False, preserve_case=False)

Create a node for ProcessItem/StringList/string

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_processitem_username(username, condition='contains', negate=False, preserve_case=False)

Create a node for ProcessItem/Username

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_registryitem_keypath(keypath, condition='contains', negate=False, preserve_case=False)

Create a node for RegistryItem/KeyPath

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_registryitem_path(path, condition='contains', negate=False, preserve_case=False)

Create a node for RegistryItem/Path

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_registryitem_text(text, condition='contains', negate=False, preserve_case=False)

Create a node for RegistryItem/Text

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_registryitem_valuename(valuename, condition='is', negate=False, preserve_case=False)

Create a node for RegistryItem/ValueName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_description(description, condition='contains', negate=False, preserve_case=False)

Create a node for ServiceItem/description

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_descriptivename(descriptive_name, condition='is', negate=False, preserve_case=False)

Create a node for ServiceItem/descriptiveName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_name(name, condition='is', negate=False, preserve_case=False)

Create a node for ServiceItem/name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_path(path, condition='contains', negate=False, preserve_case=False)

Create a node for ServiceItem/path

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_pathmd5sum(path_md5, condition='is', negate=False)

Create a node for ServiceItem/pathmd5sum

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_servicedll(servicedll, condition='contains', negate=False, preserve_case=False)

Create a node for ServiceItem/serviceDLL

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_servicedllmd5sum(servicedll_md5, condition='is', negate=False)

Create a node for ServiceItem/serviceDLLmd5sum

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_servicedllsignatureexists(dll_sig_exists, condition='is', negate=False)

Create a node for ServiceItem/serviceDLLSignatureExists

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_serviceitem_servicedllsignatureverified(dll_sig_verified, condition='is', negate=False)

Create a node for ServiceItem/serviceDLLSignatureVerified

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_systeminfoitem_hostname(hostname, condition='contains', negate=False, preserve_case=False)

Create a node for SystemInfoItem/hostname

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_systemrestoreitem_originalfilename(original_filename, condition='contains', negate=False, preserve_case=False)

Create a node for SystemRestoreItem/OriginalFileName

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_common.make_taskitem_name(name, condition='is', negate=False, preserve_case=False)

Create a node for TaskItem/Name

Returns:A IndicatorItem represented as an Element node

ioc_writer.ioc_et module

ioc_writer.ioc_et.get_current_date()

ioc_writer.ioc_et.get_guid()

ioc_writer.ioc_et.make_authored_by_node(author='ioc_et')

ioc_writer.ioc_et.make_authored_date_node()

ioc_writer.ioc_et.make_content_node(ctype, content)

ioc_writer.ioc_et.make_context_node(document, search, context_type='mir')

ioc_writer.ioc_et.make_criteria_node(indicator_node=None)

ioc_writer.ioc_et.make_description_node(text)

ioc_writer.ioc_et.make_ioc_root(iocid=None)

ioc_writer.ioc_et.make_keywords_node(keywords=None)

ioc_writer.ioc_et.make_link_node(rel, value, href=None)

ioc_writer.ioc_et.make_links_node(links=None)

ioc_writer.ioc_et.make_metadata_node(name=None, description='Automatically generated IOC', author='IOC_et', links=None, keywords=None)

ioc_writer.ioc_et.make_param_node(nid, content, name='comment', ptype='string')

ioc_writer.ioc_et.make_parameters_node()

ioc_writer.ioc_et.make_short_description_node(name)

ioc_writer.ioc_et.set_root_created_date(root_node, date=None)

ioc_writer.ioc_et.set_root_lastmodified(root_node, date=None)

ioc_writer.ioc_et.set_root_published_date(root_node, date=None)

ioc_writer.ioc_et.update_node_text(node, text)

Module contents