In [1]:
import json
import pytz

import faker

In [11]:
def fill_template(n):
    bundle_uuid4 = str(fake.uuid4())
    bundle = {
        "type": "bundle",
        "id": f"bundle--{bundle_uuid4}",
        "objects": []
    }
    objects_d = make_objects(n)
    bundle['objects'] = objects_d["objects"]
    return bundle 
    
def make_objects(n):
    objects_d = {"objects": []}
    for i in range(n):
        indicator_uuid4, relationship_uuid4, malware_uuid4 = [str(fake.uuid4()) for _ in range(3)]
        created_datetime = fake.date_time_between(
            start_date='-90d', end_date='now', tzinfo=pytz.timezone(fake.timezone()))
        modified_datetime = fake.date_time_between(
            start_date=created_datetime, end_date='now', tzinfo=pytz.timezone(fake.timezone()))
        random_name = fake.password(length=12, special_chars=False, upper_case=False)
        random_ext = fake.file_extension()
        objects = [
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": f"indicator--{indicator_uuid4}",
            "created": f"{created_datetime}",
            "modified": f"{modified_datetime}",
            "name": "Malicious site hosting downloader",
            "description": "This organized threat actor group operates to create profit from all types of crime.",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": f"[url:value = 'http://{random_name}.{random_ext}/']",
            "pattern_type": "stix",
            "valid_from": "2014-06-29T13:49:37.079Z"
        }, { 
            "type": "malware",
            "spec_version": "2.1",
            "id": f"malware--{malware_uuid4}",
            "created": f"{created_datetime}",
            "modified": f"{modified_datetime}",
            "name": f"{random_name} backdoor",
            "description": "This malware attempts to download remote files after establishing a foothold as a backdoor.",
            "malware_types": [
                "backdoor",
                "remote-access-trojan"
            ],
            "is_family": False,
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mandiant-attack-lifecycle-model",
                    "phase_name": "establish-foothold"
                }
            ]
        }, {
            "type": "relationship",
            "spec_version": "2.1",
            "id": f"relationship--{relationship_uuid4}",
            "created": f"{created_datetime}",
            "modified": f"{modified_datetime}",
            "relationship_type": "indicates",
            "source_ref": f"indicator--{indicator_uuid4}",
            "target_ref": f"malware--{malware_uuid4}"
        }]
        objects_d['objects'].extend(objects)

    return objects_d

In [12]:
from faker import Faker
fake = Faker()
Faker.seed(0)

for n in range(3):
  
    bundle = fill_template(n)
    with open(f'./data/{bundle_uuid4}_{n}.json', 'w') as outfile:
        json.dump(bundle, outfile, indent=2, separators=(',', ': '))