playing around with stix 2.1 (JSON) in F#

stix_2_1.fsx

open System.Text

/// https://fsharpforfunandprofit.com/posts/serializating-your-domain-model/ 
#I "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/"
#r "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/Newtonsoft.Json.dll"

module Json =

   open Newtonsoft.Json
    
   let serialize obj =
     JsonConvert.SerializeObject obj

   let deserialize<'a> str =
     try
       JsonConvert.DeserializeObject<'a> str
       |> Result.Ok
     with
       // catch all exceptions and convert to Result
       | ex -> Result.Error ex   

type IndicatorType = 
| MaliciousActivity
| Anonymization
| Benign
| Backdoor
| Compromised
| RAT
| Attritbution
| Unknown

let nameIndicatorType (i:IndicatorType) = match i with
| AnomalousActivity -> "anomalous-activity"
| Anonymization -> "anonymization"
| Benign -> "benign"
| Compromised -> "compromised"
| MaliciousActivity -> "malicious-activity"
| Backdoor -> "backdoor"
| RAT -> "remote-access-trojan"
| Attribution -> "attribution"
| Unknown -> "unknown"
| _ -> "unknown"

type InfrastructureType =
| Amplification
| Anonymization
| Botnet
| CommandAndControl
| Exfiltration
| HostingMalware
| HostingTargetLists
| Phishing
| Reconnaissance
| Staging
| Undefined

let nameInfrastructionType (i:InfrastructureType) = match i with
| Amplification -> "amplification"
| Anonymization -> "anonymization"
| Botnet -> "botnet"
| CommandAndControl -> "command-and-control"
| Exfiltration -> "exfiltration"
| HostingMalware -> "hosting-malware"
| HostingTargetLists -> "hosting-target-lists"
| Phishing -> "phishing"
| Reconnaissance -> "reconnaissance"
| Staging -> "staging"
| Undefined -> "undefined"
| _ -> "undefined"

/// https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_muftrcpnf89v
type StixInfrastructure = {
    Type: string;
    spec_version: string;
    ID: System.Guid;
    created: string;
    updated: string;
    name: string;
    description: string;
    infrastructure_type: string list;
}

/// https://riptutorial.com/fsharp/example/7470/simple-string-formatting
let formatPattern (itype: string) (ind: string) = 
    let builder = StringBuilder()
    let append format = Printf.bprintf builder format
    append "%s:value='%s'" itype ind
    builder.ToString()

/// https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_wfiae74706sw 
type StixIndicator = {
    Type: string;
    spec_version: string;
    ID: System.Guid;
    created: string;
    updated: string;
    name: string;
    description: string;
    indicator_types: string list;
    pattern: string;
    pattern_type: string;
    valid_from: string;
}

type StixObject = 
| StixIndicator of StixIndicator
| StixInfrastructure of StixInfrastructure

type StixBundle = {
    ID: System.Guid;
    Type: string;    
    objects: StixObject list;
}


let ind = {Type = "indicator"; 
 spec_version = "2.1"; 
 ID = System.Guid.NewGuid(); 
 created = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK"); 
 updated = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK"); 
 description = "WordPress bruteforce login client IP"; 
 name = "WordPress honeypot logs for DDoS tracking and authentcation brute force from a US /32"; 
 indicator_types = List.map (fun x -> nameIndicatorType x) [MaliciousActivity]; 
 pattern = formatPattern "ipv4-addr" "1.2.3.4"; 
 pattern_type = "stix"; 
 valid_from = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK");}

let infra = {Type = "infrastructure"; 
 spec_version = "2.1"; 
 ID = System.Guid.NewGuid();  
 created = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK");
 updated = System.DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK");
 name = "C2 URL";
 description = "C2 URL";
 infrastructure_type = List.map (fun x -> nameInfrastructionType x) [CommandAndControl]; }

let bundle = {
 ID = System.Guid.NewGuid();  
 Type = "bundle";
 objects = [StixInfrastructure infra; StixIndicator ind];
}