Add basic support for IP indicators in MVT (#556)

* Add prelimary ipv4-addr ioc matching support under collection domains * Add IP addresses as a valid IOC type This currently just supports IPv4 addresses which are treated as domains internally in MVT. --------- Co-authored-by: renini <renini@local>
2026-02-12 16:42:45 +00:00 · 2024-10-17 18:20:17 +02:00
parent 5ef19a327c
commit 81b647beac
3 changed files with 24 additions and 3 deletions
--- a/tests/artifacts/generate_stix.py
+++ b/tests/artifacts/generate_stix.py
@@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
        os.remove(file_path)

    domains = ["example.org"]
+    ip_addresses = ["198.51.100.1"]
    processes = ["Launch"]
    emails = ["foobar@example.org"]
    filenames = ["/var/foobar/txt"]
@@ -33,6 +34,15 @@ def generate_test_stix_file(file_path):
        res.append(i)
        res.append(Relationship(i, "indicates", malware))

+    for a in ip_addresses:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[ipv4-addr:value='{}']".format(a),
+            pattern_type="stix",
+        )
+        res.append(i)
+        res.append(Relationship(i, "indicates", malware))
+
    for p in processes:
        i = Indicator(
            indicator_types=["malicious-activity"],