pycti 5.12.33__tar.gz → 6.0.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of pycti might be problematic. Click here for more details.
- {pycti-5.12.33 → pycti-6.0.0}/PKG-INFO +4 -3
- {pycti-5.12.33 → pycti-6.0.0}/README.md +2 -1
- {pycti-5.12.33 → pycti-6.0.0}/pycti/__init__.py +1 -1
- {pycti-5.12.33 → pycti-6.0.0}/pycti/connector/opencti_connector_helper.py +163 -44
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_campaign.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_case_incident.py +13 -3
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_case_rfi.py +12 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_case_rft.py +12 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_channel.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_data_component.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_event.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_external_reference.py +4 -2
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_grouping.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_incident.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_indicator.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_infrastructure.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_intrusion_set.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_malware.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_malware_analysis.py +11 -1
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_note.py +5 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_observed_data.py +10 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_report.py +27 -3
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_core_object.py +127 -117
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_core_relationship.py +12 -5
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_cyber_observable.py +14 -2
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_domain_object.py +14 -2
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_object_or_stix_relationship.py +5 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_sighting_relationship.py +5 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_threat_actor.py +5 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_threat_actor_group.py +5 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_threat_actor_individual.py +5 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/opencti_stix2.py +83 -73
- {pycti-5.12.33 → pycti-6.0.0}/pycti.egg-info/PKG-INFO +4 -3
- {pycti-5.12.33 → pycti-6.0.0}/pycti.egg-info/requires.txt +1 -1
- {pycti-5.12.33 → pycti-6.0.0}/setup.cfg +1 -1
- {pycti-5.12.33 → pycti-6.0.0}/LICENSE +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/api/__init__.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/api/opencti_api_client.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/api/opencti_api_connector.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/api/opencti_api_playbook.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/api/opencti_api_work.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/connector/__init__.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/connector/opencti_connector.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/connector/opencti_metric_handler.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/__init__.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_attack_pattern.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_course_of_action.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_data_source.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_feedback.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_identity.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_kill_chain_phase.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_label.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_language.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_location.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_marking_definition.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_narrative.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_opinion.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_stix_nested_ref_relationship.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_task.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_tool.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_vocabulary.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/entities/opencti_vulnerability.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/__init__.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/constants.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/opencti_logger.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/opencti_stix2_splitter.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/opencti_stix2_update.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti/utils/opencti_stix2_utils.py +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti.egg-info/SOURCES.txt +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti.egg-info/dependency_links.txt +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pycti.egg-info/top_level.txt +0 -0
- {pycti-5.12.33 → pycti-6.0.0}/pyproject.toml +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: pycti
|
|
3
|
-
Version:
|
|
3
|
+
Version: 6.0.0
|
|
4
4
|
Summary: Python API client for OpenCTI.
|
|
5
5
|
Home-page: https://github.com/OpenCTI-Platform/client-python
|
|
6
6
|
Author: Filigran
|
|
@@ -47,7 +47,7 @@ Requires-Dist: types-python-dateutil~=2.8.19; extra == "dev"
|
|
|
47
47
|
Requires-Dist: wheel~=0.42.0; extra == "dev"
|
|
48
48
|
Provides-Extra: doc
|
|
49
49
|
Requires-Dist: autoapi~=2.0.1; extra == "doc"
|
|
50
|
-
Requires-Dist: sphinx-autodoc-typehints~=
|
|
50
|
+
Requires-Dist: sphinx-autodoc-typehints~=2.0.0; extra == "doc"
|
|
51
51
|
Requires-Dist: sphinx-rtd-theme~=2.0.0; extra == "doc"
|
|
52
52
|
|
|
53
53
|
# OpenCTI client for Python
|
|
@@ -145,4 +145,5 @@ $ pytest ./tests/02-integration/
|
|
|
145
145
|
|
|
146
146
|
OpenCTI is a product designed and developed by the company [Filigran](https://filigran.io).
|
|
147
147
|
|
|
148
|
-
|
|
148
|
+
|
|
149
|
+
|
|
@@ -93,4 +93,5 @@ $ pytest ./tests/02-integration/
|
|
|
93
93
|
|
|
94
94
|
OpenCTI is a product designed and developed by the company [Filigran](https://filigran.io).
|
|
95
95
|
|
|
96
|
-
|
|
96
|
+
|
|
97
|
+
|
|
@@ -177,7 +177,14 @@ class ListenQueue(threading.Thread):
|
|
|
177
177
|
:type callback: callable
|
|
178
178
|
"""
|
|
179
179
|
|
|
180
|
-
def __init__(
|
|
180
|
+
def __init__(
|
|
181
|
+
self,
|
|
182
|
+
helper,
|
|
183
|
+
config: Dict,
|
|
184
|
+
connector_config: Dict,
|
|
185
|
+
applicant_id,
|
|
186
|
+
callback,
|
|
187
|
+
) -> None:
|
|
181
188
|
threading.Thread.__init__(self)
|
|
182
189
|
self.pika_credentials = None
|
|
183
190
|
self.pika_parameters = None
|
|
@@ -186,6 +193,7 @@ class ListenQueue(threading.Thread):
|
|
|
186
193
|
self.helper = helper
|
|
187
194
|
self.callback = callback
|
|
188
195
|
self.config = config
|
|
196
|
+
self.connector_applicant_id = applicant_id
|
|
189
197
|
self.host = connector_config["connection"]["host"]
|
|
190
198
|
self.vhost = connector_config["connection"]["vhost"]
|
|
191
199
|
self.use_ssl = connector_config["connection"]["use_ssl"]
|
|
@@ -237,42 +245,114 @@ class ListenQueue(threading.Thread):
|
|
|
237
245
|
)
|
|
238
246
|
|
|
239
247
|
def _data_handler(self, json_data) -> None:
|
|
240
|
-
# Set the API headers
|
|
241
|
-
work_id = json_data["internal"]["work_id"]
|
|
242
|
-
self.helper.work_id = work_id
|
|
243
|
-
self.helper.playbook = None
|
|
244
|
-
if "playbook" in json_data["internal"]:
|
|
245
|
-
execution_id = json_data["internal"]["playbook"]["execution_id"]
|
|
246
|
-
execution_start = self.helper.date_now()
|
|
247
|
-
playbook_id = json_data["internal"]["playbook"]["playbook_id"]
|
|
248
|
-
data_instance_id = json_data["internal"]["playbook"]["data_instance_id"]
|
|
249
|
-
previous_bundle = json.dumps((json_data["event"]["bundle"]))
|
|
250
|
-
step_id = json_data["internal"]["playbook"]["step_id"]
|
|
251
|
-
previous_step_id = json_data["internal"]["playbook"]["previous_step_id"]
|
|
252
|
-
playbook_data = {
|
|
253
|
-
"execution_id": execution_id,
|
|
254
|
-
"execution_start": execution_start,
|
|
255
|
-
"playbook_id": playbook_id,
|
|
256
|
-
"data_instance_id": data_instance_id,
|
|
257
|
-
"previous_step_id": previous_step_id,
|
|
258
|
-
"previous_bundle": previous_bundle,
|
|
259
|
-
"step_id": step_id,
|
|
260
|
-
}
|
|
261
|
-
self.helper.playbook = playbook_data
|
|
262
|
-
|
|
263
|
-
applicant_id = json_data["internal"]["applicant_id"]
|
|
264
|
-
if applicant_id is not None:
|
|
265
|
-
self.helper.applicant_id = applicant_id
|
|
266
|
-
self.helper.api_impersonate.set_applicant_id_header(applicant_id)
|
|
267
248
|
# Execute the callback
|
|
268
249
|
try:
|
|
250
|
+
event_data = json_data["event"]
|
|
251
|
+
entity_id = event_data.get("entity_id")
|
|
252
|
+
entity_type = event_data.get("entity_type")
|
|
253
|
+
# Set the API headers
|
|
254
|
+
work_id = json_data["internal"]["work_id"]
|
|
255
|
+
self.helper.work_id = work_id
|
|
256
|
+
|
|
257
|
+
self.helper.playbook = None
|
|
258
|
+
self.helper.enrichment_shared_organizations = None
|
|
259
|
+
if self.helper.connect_type == "INTERNAL_ENRICHMENT":
|
|
260
|
+
# For enrichment connectors only, pre resolve the information
|
|
261
|
+
if entity_id is None:
|
|
262
|
+
raise ValueError(
|
|
263
|
+
"Internal enrichment must be based on a specific id"
|
|
264
|
+
)
|
|
265
|
+
default_reader_type = "Stix-Core-Object"
|
|
266
|
+
readers = self.helper.api.stix2.get_readers()
|
|
267
|
+
reader_type = (
|
|
268
|
+
entity_type if entity_type is not None else default_reader_type
|
|
269
|
+
)
|
|
270
|
+
selected_reader = (
|
|
271
|
+
readers[reader_type]
|
|
272
|
+
if reader_type in readers
|
|
273
|
+
else readers[default_reader_type]
|
|
274
|
+
)
|
|
275
|
+
opencti_entity = selected_reader(id=entity_id, withFiles=True)
|
|
276
|
+
if opencti_entity is None:
|
|
277
|
+
raise ValueError(
|
|
278
|
+
"Unable to read/access to the entity, please check that the connector permission"
|
|
279
|
+
)
|
|
280
|
+
event_data["enrichment_entity"] = opencti_entity
|
|
281
|
+
# Handle action vs playbook behavior
|
|
282
|
+
is_playbook = "playbook" in json_data["internal"]
|
|
283
|
+
# If playbook, compute object on data bundle
|
|
284
|
+
if is_playbook:
|
|
285
|
+
execution_id = json_data["internal"]["playbook"]["execution_id"]
|
|
286
|
+
execution_start = self.helper.date_now()
|
|
287
|
+
playbook_id = json_data["internal"]["playbook"]["playbook_id"]
|
|
288
|
+
data_instance_id = json_data["internal"]["playbook"][
|
|
289
|
+
"data_instance_id"
|
|
290
|
+
]
|
|
291
|
+
previous_bundle = json.dumps((json_data["event"]["bundle"]))
|
|
292
|
+
step_id = json_data["internal"]["playbook"]["step_id"]
|
|
293
|
+
previous_step_id = json_data["internal"]["playbook"][
|
|
294
|
+
"previous_step_id"
|
|
295
|
+
]
|
|
296
|
+
playbook_data = {
|
|
297
|
+
"execution_id": execution_id,
|
|
298
|
+
"execution_start": execution_start,
|
|
299
|
+
"playbook_id": playbook_id,
|
|
300
|
+
"data_instance_id": data_instance_id,
|
|
301
|
+
"previous_step_id": previous_step_id,
|
|
302
|
+
"previous_bundle": previous_bundle,
|
|
303
|
+
"step_id": step_id,
|
|
304
|
+
}
|
|
305
|
+
self.helper.playbook = playbook_data
|
|
306
|
+
bundle = event_data["bundle"]
|
|
307
|
+
stix_objects = bundle["objects"]
|
|
308
|
+
event_data["stix_objects"] = stix_objects
|
|
309
|
+
stix_entity = [e for e in stix_objects if e["id"] == entity_id][0]
|
|
310
|
+
event_data["stix_entity"] = stix_entity
|
|
311
|
+
else:
|
|
312
|
+
# If not playbook but enrichment, compute object on enrichment_entity
|
|
313
|
+
opencti_entity = event_data["enrichment_entity"]
|
|
314
|
+
stix_objects = self.helper.api.stix2.prepare_export(
|
|
315
|
+
self.helper.api.stix2.generate_export(copy.copy(opencti_entity))
|
|
316
|
+
)
|
|
317
|
+
stix_entity = [
|
|
318
|
+
e
|
|
319
|
+
for e in stix_objects
|
|
320
|
+
if e["id"] == opencti_entity["standard_id"]
|
|
321
|
+
][0]
|
|
322
|
+
event_data["stix_objects"] = stix_objects
|
|
323
|
+
event_data["stix_entity"] = stix_entity
|
|
324
|
+
# Handle organization propagation
|
|
325
|
+
# Keep the sharing to be re-apply automatically at send_stix_bundle stage
|
|
326
|
+
if "x_opencti_granted_refs" in event_data["stix_entity"]:
|
|
327
|
+
self.helper.enrichment_shared_organizations = event_data[
|
|
328
|
+
"stix_entity"
|
|
329
|
+
]["x_opencti_granted_refs"]
|
|
330
|
+
else:
|
|
331
|
+
self.helper.enrichment_shared_organizations = (
|
|
332
|
+
self.helper.get_attribute_in_extension(
|
|
333
|
+
"granted_refs", event_data["stix_entity"]
|
|
334
|
+
)
|
|
335
|
+
)
|
|
336
|
+
|
|
337
|
+
# Handle applicant_id for in-personalization
|
|
338
|
+
self.helper.applicant_id = self.connector_applicant_id
|
|
339
|
+
self.helper.api_impersonate.set_applicant_id_header(
|
|
340
|
+
self.connector_applicant_id
|
|
341
|
+
)
|
|
342
|
+
applicant_id = json_data["internal"]["applicant_id"]
|
|
343
|
+
if applicant_id is not None:
|
|
344
|
+
self.helper.applicant_id = applicant_id
|
|
345
|
+
self.helper.api_impersonate.set_applicant_id_header(applicant_id)
|
|
346
|
+
|
|
269
347
|
if work_id:
|
|
270
348
|
self.helper.api.work.to_received(
|
|
271
349
|
work_id, "Connector ready to process the operation"
|
|
272
350
|
)
|
|
273
|
-
|
|
351
|
+
# Send the enriched to the callback
|
|
352
|
+
message = self.callback(event_data)
|
|
274
353
|
if work_id:
|
|
275
354
|
self.helper.api.work.to_processed(work_id, message)
|
|
355
|
+
|
|
276
356
|
except Exception as e: # pylint: disable=broad-except
|
|
277
357
|
self.helper.metric.inc("error_count")
|
|
278
358
|
self.helper.connector_logger.error(
|
|
@@ -641,13 +721,7 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
641
721
|
self.connect_name = get_config_variable(
|
|
642
722
|
"CONNECTOR_NAME", ["connector", "name"], config
|
|
643
723
|
)
|
|
644
|
-
self.connect_confidence_level =
|
|
645
|
-
"CONNECTOR_CONFIDENCE_LEVEL",
|
|
646
|
-
["connector", "confidence_level"],
|
|
647
|
-
config,
|
|
648
|
-
True,
|
|
649
|
-
50,
|
|
650
|
-
)
|
|
724
|
+
self.connect_confidence_level = None # Deprecated since OpenCTI version >= 6.0
|
|
651
725
|
self.connect_scope = get_config_variable(
|
|
652
726
|
"CONNECTOR_SCOPE", ["connector", "scope"], config
|
|
653
727
|
)
|
|
@@ -729,9 +803,10 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
729
803
|
self.connector_logger.info(
|
|
730
804
|
"Connector registered with ID", {"id": self.connect_id}
|
|
731
805
|
)
|
|
732
|
-
self.connector_id = connector_configuration["id"]
|
|
733
806
|
self.work_id = None
|
|
734
807
|
self.playbook = None
|
|
808
|
+
self.enrichment_shared_organizations = None
|
|
809
|
+
self.connector_id = connector_configuration["id"]
|
|
735
810
|
self.applicant_id = connector_configuration["connector_user_id"]
|
|
736
811
|
self.connector_state = connector_configuration["connector_state"]
|
|
737
812
|
self.connector_config = connector_configuration["config"]
|
|
@@ -842,7 +917,10 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
842
917
|
self.metric.inc("error_count")
|
|
843
918
|
self.connector_logger.error("Error pinging the API", {"reason": str(e)})
|
|
844
919
|
|
|
845
|
-
def listen(
|
|
920
|
+
def listen(
|
|
921
|
+
self,
|
|
922
|
+
message_callback: Callable[[Dict], str],
|
|
923
|
+
) -> None:
|
|
846
924
|
"""listen for messages and register callback function
|
|
847
925
|
|
|
848
926
|
:param message_callback: callback function to process messages
|
|
@@ -850,7 +928,11 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
850
928
|
"""
|
|
851
929
|
|
|
852
930
|
self.listen_queue = ListenQueue(
|
|
853
|
-
self,
|
|
931
|
+
self,
|
|
932
|
+
self.config,
|
|
933
|
+
self.connector_config,
|
|
934
|
+
self.applicant_id,
|
|
935
|
+
message_callback,
|
|
854
936
|
)
|
|
855
937
|
self.listen_queue.start()
|
|
856
938
|
|
|
@@ -971,7 +1053,7 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
971
1053
|
)
|
|
972
1054
|
|
|
973
1055
|
# Push Stix2 helper
|
|
974
|
-
def send_stix2_bundle(self, bundle, **kwargs) -> list:
|
|
1056
|
+
def send_stix2_bundle(self, bundle: str, **kwargs) -> list:
|
|
975
1057
|
"""send a stix2 bundle to the API
|
|
976
1058
|
|
|
977
1059
|
:param work_id: a valid work id
|
|
@@ -994,6 +1076,44 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
994
1076
|
entity_id = kwargs.get("entity_id", None)
|
|
995
1077
|
file_name = kwargs.get("file_name", None)
|
|
996
1078
|
|
|
1079
|
+
# In case of enrichment ingestion, ensure the sharing if needed
|
|
1080
|
+
if self.enrichment_shared_organizations is not None:
|
|
1081
|
+
# Every element of the bundle must be enriched with the same organizations
|
|
1082
|
+
bundle_data = json.loads(bundle)
|
|
1083
|
+
for item in bundle_data["objects"]:
|
|
1084
|
+
if (
|
|
1085
|
+
"extensions" in item
|
|
1086
|
+
and "extension-definition--ea279b3e-5c71-4632-ac08-831c66a786ba"
|
|
1087
|
+
in item["extensions"]
|
|
1088
|
+
):
|
|
1089
|
+
octi_extensions = item["extensions"][
|
|
1090
|
+
"extension-definition--ea279b3e-5c71-4632-ac08-831c66a786ba"
|
|
1091
|
+
]
|
|
1092
|
+
if octi_extensions.get("granted_refs") is not None:
|
|
1093
|
+
octi_extensions["granted_refs"] = list(
|
|
1094
|
+
set(
|
|
1095
|
+
octi_extensions["granted_refs"]
|
|
1096
|
+
+ self.enrichment_shared_organizations
|
|
1097
|
+
)
|
|
1098
|
+
)
|
|
1099
|
+
else:
|
|
1100
|
+
octi_extensions["granted_refs"] = (
|
|
1101
|
+
self.enrichment_shared_organizations
|
|
1102
|
+
)
|
|
1103
|
+
else:
|
|
1104
|
+
if item.get("x_opencti_granted_refs") is not None:
|
|
1105
|
+
item["x_opencti_granted_refs"] = list(
|
|
1106
|
+
set(
|
|
1107
|
+
item["x_opencti_granted_refs"]
|
|
1108
|
+
+ self.enrichment_shared_organizations
|
|
1109
|
+
)
|
|
1110
|
+
)
|
|
1111
|
+
else:
|
|
1112
|
+
item["x_opencti_granted_refs"] = (
|
|
1113
|
+
self.enrichment_shared_organizations
|
|
1114
|
+
)
|
|
1115
|
+
bundle = json.dumps(bundle_data)
|
|
1116
|
+
|
|
997
1117
|
if self.playbook is not None:
|
|
998
1118
|
self.api.playbook.playbook_step_execution(self.playbook, bundle)
|
|
999
1119
|
return [bundle]
|
|
@@ -1340,10 +1460,9 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
1340
1460
|
][key]
|
|
1341
1461
|
return None
|
|
1342
1462
|
|
|
1343
|
-
def get_data_from_enrichment(self, data, opencti_entity):
|
|
1344
|
-
stix_id = opencti_entity["standard_id"]
|
|
1463
|
+
def get_data_from_enrichment(self, data, standard_id, opencti_entity):
|
|
1345
1464
|
bundle = data.get("bundle", None)
|
|
1346
|
-
# Extract
|
|
1465
|
+
# Extract main entity from bundle in case of playbook
|
|
1347
1466
|
if bundle is None:
|
|
1348
1467
|
# Generate bundle
|
|
1349
1468
|
stix_objects = self.api.stix2.prepare_export(
|
|
@@ -1351,7 +1470,7 @@ class OpenCTIConnectorHelper: # pylint: disable=too-many-public-methods
|
|
|
1351
1470
|
)
|
|
1352
1471
|
else:
|
|
1353
1472
|
stix_objects = bundle["objects"]
|
|
1354
|
-
stix_entity = [e for e in stix_objects if e["id"] ==
|
|
1473
|
+
stix_entity = [e for e in stix_objects if e["id"] == standard_id][0]
|
|
1355
1474
|
return {
|
|
1356
1475
|
"stix_entity": stix_entity,
|
|
1357
1476
|
"stix_objects": stix_objects,
|
|
@@ -47,6 +47,11 @@ class Campaign:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -128,6 +133,11 @@ class Campaign:
|
|
|
128
133
|
x_opencti_lastname
|
|
129
134
|
}
|
|
130
135
|
}
|
|
136
|
+
objectOrganization {
|
|
137
|
+
id
|
|
138
|
+
standard_id
|
|
139
|
+
name
|
|
140
|
+
}
|
|
131
141
|
objectMarking {
|
|
132
142
|
id
|
|
133
143
|
standard_id
|
|
@@ -47,6 +47,11 @@ class CaseIncident:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -96,7 +101,9 @@ class CaseIncident:
|
|
|
96
101
|
description
|
|
97
102
|
due_date
|
|
98
103
|
status {
|
|
104
|
+
id
|
|
99
105
|
template {
|
|
106
|
+
id
|
|
100
107
|
name
|
|
101
108
|
color
|
|
102
109
|
}
|
|
@@ -256,6 +263,11 @@ class CaseIncident:
|
|
|
256
263
|
x_opencti_lastname
|
|
257
264
|
}
|
|
258
265
|
}
|
|
266
|
+
objectOrganization {
|
|
267
|
+
id
|
|
268
|
+
standard_id
|
|
269
|
+
name
|
|
270
|
+
}
|
|
259
271
|
objectMarking {
|
|
260
272
|
id
|
|
261
273
|
standard_id
|
|
@@ -843,9 +855,7 @@ class CaseIncident:
|
|
|
843
855
|
)
|
|
844
856
|
if "x_opencti_workflow_id" not in stix_object:
|
|
845
857
|
stix_object["x_opencti_workflow_id"] = (
|
|
846
|
-
self.opencti.get_attribute_in_extension(
|
|
847
|
-
"x_opencti_workflow_id", stix_object
|
|
848
|
-
)
|
|
858
|
+
self.opencti.get_attribute_in_extension("workflow_id", stix_object)
|
|
849
859
|
)
|
|
850
860
|
if "x_opencti_assignee_ids" not in stix_object:
|
|
851
861
|
stix_object["x_opencti_assignee_ids"] = (
|
|
@@ -47,6 +47,11 @@ class CaseRfi:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -95,7 +100,9 @@ class CaseRfi:
|
|
|
95
100
|
description
|
|
96
101
|
due_date
|
|
97
102
|
status {
|
|
103
|
+
id
|
|
98
104
|
template {
|
|
105
|
+
id
|
|
99
106
|
name
|
|
100
107
|
color
|
|
101
108
|
}
|
|
@@ -255,6 +262,11 @@ class CaseRfi:
|
|
|
255
262
|
x_opencti_lastname
|
|
256
263
|
}
|
|
257
264
|
}
|
|
265
|
+
objectOrganization {
|
|
266
|
+
id
|
|
267
|
+
standard_id
|
|
268
|
+
name
|
|
269
|
+
}
|
|
258
270
|
objectMarking {
|
|
259
271
|
id
|
|
260
272
|
standard_id
|
|
@@ -47,6 +47,11 @@ class CaseRft:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -95,7 +100,9 @@ class CaseRft:
|
|
|
95
100
|
description
|
|
96
101
|
due_date
|
|
97
102
|
status {
|
|
103
|
+
id
|
|
98
104
|
template {
|
|
105
|
+
id
|
|
99
106
|
name
|
|
100
107
|
color
|
|
101
108
|
}
|
|
@@ -255,6 +262,11 @@ class CaseRft:
|
|
|
255
262
|
x_opencti_lastname
|
|
256
263
|
}
|
|
257
264
|
}
|
|
265
|
+
objectOrganization {
|
|
266
|
+
id
|
|
267
|
+
standard_id
|
|
268
|
+
name
|
|
269
|
+
}
|
|
258
270
|
objectMarking {
|
|
259
271
|
id
|
|
260
272
|
standard_id
|
|
@@ -47,6 +47,11 @@ class Channel:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -126,6 +131,11 @@ class Channel:
|
|
|
126
131
|
x_opencti_lastname
|
|
127
132
|
}
|
|
128
133
|
}
|
|
134
|
+
objectOrganization {
|
|
135
|
+
id
|
|
136
|
+
standard_id
|
|
137
|
+
name
|
|
138
|
+
}
|
|
129
139
|
objectMarking {
|
|
130
140
|
id
|
|
131
141
|
standard_id
|
|
@@ -47,6 +47,11 @@ class DataComponent:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -143,6 +148,11 @@ class DataComponent:
|
|
|
143
148
|
x_opencti_lastname
|
|
144
149
|
}
|
|
145
150
|
}
|
|
151
|
+
objectOrganization {
|
|
152
|
+
id
|
|
153
|
+
standard_id
|
|
154
|
+
name
|
|
155
|
+
}
|
|
146
156
|
objectMarking {
|
|
147
157
|
id
|
|
148
158
|
standard_id
|
|
@@ -47,6 +47,11 @@ class Event:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -128,6 +133,11 @@ class Event:
|
|
|
128
133
|
x_opencti_lastname
|
|
129
134
|
}
|
|
130
135
|
}
|
|
136
|
+
objectOrganization {
|
|
137
|
+
id
|
|
138
|
+
standard_id
|
|
139
|
+
name
|
|
140
|
+
}
|
|
131
141
|
objectMarking {
|
|
132
142
|
id
|
|
133
143
|
standard_id
|
|
@@ -268,14 +268,15 @@ class ExternalReference:
|
|
|
268
268
|
id = kwargs.get("id", None)
|
|
269
269
|
file_name = kwargs.get("file_name", None)
|
|
270
270
|
data = kwargs.get("data", None)
|
|
271
|
+
version = kwargs.get("version")
|
|
271
272
|
mime_type = kwargs.get("mime_type", "text/plain")
|
|
272
273
|
no_trigger_import = kwargs.get("no_trigger_import", False)
|
|
273
274
|
if id is not None and file_name is not None:
|
|
274
275
|
final_file_name = os.path.basename(file_name)
|
|
275
276
|
query = """
|
|
276
|
-
mutation ExternalReferenceEdit($id: ID!, $file: Upload!, $noTriggerImport: Boolean) {
|
|
277
|
+
mutation ExternalReferenceEdit($id: ID!, $file: Upload!, $version: String, $noTriggerImport: Boolean) {
|
|
277
278
|
externalReferenceEdit(id: $id) {
|
|
278
|
-
importPush(file: $file, noTriggerImport: $noTriggerImport) {
|
|
279
|
+
importPush(file: $file, version: $version, noTriggerImport: $noTriggerImport) {
|
|
279
280
|
id
|
|
280
281
|
name
|
|
281
282
|
}
|
|
@@ -297,6 +298,7 @@ class ExternalReference:
|
|
|
297
298
|
{
|
|
298
299
|
"id": id,
|
|
299
300
|
"file": (self.file(final_file_name, data, mime_type)),
|
|
301
|
+
"version": version,
|
|
300
302
|
"noTriggerImport": (
|
|
301
303
|
no_trigger_import
|
|
302
304
|
if isinstance(no_trigger_import, bool)
|
|
@@ -47,6 +47,11 @@ class Grouping:
|
|
|
47
47
|
x_opencti_lastname
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
+
objectOrganization {
|
|
51
|
+
id
|
|
52
|
+
standard_id
|
|
53
|
+
name
|
|
54
|
+
}
|
|
50
55
|
objectMarking {
|
|
51
56
|
id
|
|
52
57
|
standard_id
|
|
@@ -221,6 +226,11 @@ class Grouping:
|
|
|
221
226
|
x_opencti_lastname
|
|
222
227
|
}
|
|
223
228
|
}
|
|
229
|
+
objectOrganization {
|
|
230
|
+
id
|
|
231
|
+
standard_id
|
|
232
|
+
name
|
|
233
|
+
}
|
|
224
234
|
objectMarking {
|
|
225
235
|
id
|
|
226
236
|
standard_id
|
|
@@ -48,6 +48,11 @@ class Incident:
|
|
|
48
48
|
x_opencti_lastname
|
|
49
49
|
}
|
|
50
50
|
}
|
|
51
|
+
objectOrganization {
|
|
52
|
+
id
|
|
53
|
+
standard_id
|
|
54
|
+
name
|
|
55
|
+
}
|
|
51
56
|
objectMarking {
|
|
52
57
|
id
|
|
53
58
|
standard_id
|
|
@@ -132,6 +137,11 @@ class Incident:
|
|
|
132
137
|
x_opencti_lastname
|
|
133
138
|
}
|
|
134
139
|
}
|
|
140
|
+
objectOrganization {
|
|
141
|
+
id
|
|
142
|
+
standard_id
|
|
143
|
+
name
|
|
144
|
+
}
|
|
135
145
|
objectMarking {
|
|
136
146
|
id
|
|
137
147
|
standard_id
|
|
@@ -56,6 +56,11 @@ class Indicator:
|
|
|
56
56
|
x_opencti_lastname
|
|
57
57
|
}
|
|
58
58
|
}
|
|
59
|
+
objectOrganization {
|
|
60
|
+
id
|
|
61
|
+
standard_id
|
|
62
|
+
name
|
|
63
|
+
}
|
|
59
64
|
objectMarking {
|
|
60
65
|
id
|
|
61
66
|
standard_id
|
|
@@ -166,6 +171,11 @@ class Indicator:
|
|
|
166
171
|
x_opencti_lastname
|
|
167
172
|
}
|
|
168
173
|
}
|
|
174
|
+
objectOrganization {
|
|
175
|
+
id
|
|
176
|
+
standard_id
|
|
177
|
+
name
|
|
178
|
+
}
|
|
169
179
|
objectMarking {
|
|
170
180
|
id
|
|
171
181
|
standard_id
|
|
@@ -52,6 +52,11 @@ class Infrastructure:
|
|
|
52
52
|
x_opencti_lastname
|
|
53
53
|
}
|
|
54
54
|
}
|
|
55
|
+
objectOrganization {
|
|
56
|
+
id
|
|
57
|
+
standard_id
|
|
58
|
+
name
|
|
59
|
+
}
|
|
55
60
|
objectMarking {
|
|
56
61
|
id
|
|
57
62
|
standard_id
|
|
@@ -142,6 +147,11 @@ class Infrastructure:
|
|
|
142
147
|
x_opencti_lastname
|
|
143
148
|
}
|
|
144
149
|
}
|
|
150
|
+
objectOrganization {
|
|
151
|
+
id
|
|
152
|
+
standard_id
|
|
153
|
+
name
|
|
154
|
+
}
|
|
145
155
|
objectMarking {
|
|
146
156
|
id
|
|
147
157
|
standard_id
|