forked from OpenCTI-Platform/client-python
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopencti_threat_actor_individual.py
501 lines (471 loc) · 19.4 KB
/
opencti_threat_actor_individual.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
# coding: utf-8
import json
import uuid
from typing import Union
from stix2.canonicalization.Canonicalize import canonicalize
class ThreatActorIndividual:
"""Main ThreatActorIndividual class for OpenCTI
:param opencti: instance of :py:class:`~pycti.api.opencti_api_client.OpenCTIApiClient`
"""
def __init__(self, opencti):
"""Create an instance of ThreatActorIndividual"""
self.opencti = opencti
self.properties = """
id
standard_id
entity_type
parent_types
spec_version
created_at
updated_at
createdBy {
... on Identity {
id
standard_id
entity_type
parent_types
spec_version
identity_class
name
description
roles
contact_information
x_opencti_aliases
created
modified
objectLabel {
id
value
color
}
}
... on Organization {
x_opencti_organization_type
x_opencti_reliability
}
... on Individual {
x_opencti_firstname
x_opencti_lastname
}
}
objectOrganization {
id
standard_id
name
}
objectMarking {
id
standard_id
entity_type
definition_type
definition
created
modified
x_opencti_order
x_opencti_color
}
objectLabel {
id
value
color
}
externalReferences {
edges {
node {
id
standard_id
entity_type
source_name
description
url
hash
external_id
created
modified
importFiles {
edges {
node {
id
name
size
metaData {
mimetype
version
}
}
}
}
}
}
}
revoked
confidence
created
modified
name
description
aliases
threat_actor_types
first_seen
last_seen
roles
goals
sophistication
resource_level
primary_motivation
secondary_motivations
personal_motivations
importFiles {
edges {
node {
id
name
size
metaData {
mimetype
version
}
}
}
}
"""
@staticmethod
def generate_id(name):
name = name.lower().strip()
data = {"name": name, "opencti_type": "Threat-Actor-Individual"}
data = canonicalize(data, utf8=False)
id = str(uuid.uuid5(uuid.UUID("00abedb4-aa42-466c-9c01-fed23315a9b7"), data))
return "threat-actor--" + id
def list(self, **kwargs) -> dict:
"""List Threat-Actor-Individual objects
The list method accepts the following kwargs:
:param list filters: (optional) the filters to apply
:param str search: (optional) a search keyword to apply for the listing
:param int first: (optional) return the first n rows from the `after` ID
or the beginning if not set
:param str after: (optional) OpenCTI object ID of the first row for pagination
:param str orderBy: (optional) the field to order the response on
:param bool orderMode: (optional) either "`asc`" or "`desc`"
:param bool getAll: (optional) switch to return all entries (be careful to use this without any other filters)
:param bool withPagination: (optional) switch to use pagination
"""
filters = kwargs.get("filters", None)
search = kwargs.get("search", None)
first = kwargs.get("first", 500)
after = kwargs.get("after", None)
order_by = kwargs.get("orderBy", None)
order_mode = kwargs.get("orderMode", None)
custom_attributes = kwargs.get("customAttributes", None)
get_all = kwargs.get("getAll", False)
with_pagination = kwargs.get("withPagination", False)
if get_all:
first = 500
self.opencti.app_logger.info(
"Listing Threat-Actors-Individual with filters",
{"filters": json.dumps(filters)},
)
query = (
"""
query ThreatActorsIndividual($filters: FilterGroup, $search: String, $first: Int, $after: ID, $orderBy: ThreatActorsIndividualOrdering, $orderMode: OrderingMode) {
threatActorsIndividuals(filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {
edges {
node {
"""
+ (custom_attributes if custom_attributes is not None else self.properties)
+ """
}
}
pageInfo {
startCursor
endCursor
hasNextPage
hasPreviousPage
globalCount
}
}
}
"""
)
result = self.opencti.query(
query,
{
"filters": filters,
"search": search,
"first": first,
"after": after,
"orderBy": order_by,
"orderMode": order_mode,
},
)
return self.opencti.process_multiple(
result["data"]["threatActorsIndividuals"], with_pagination
)
def read(self, **kwargs) -> Union[dict, None]:
"""Read a Threat-Actor-Individual object
read can be either used with a known OpenCTI entity `id` or by using a
valid filter to search and return a single Threat-Actor-Group entity or None.
The list method accepts the following kwargs.
Note: either `id` or `filters` is required.
:param str id: the id of the Threat-Actor-Individual
:param list filters: the filters to apply if no id provided
"""
id = kwargs.get("id", None)
filters = kwargs.get("filters", None)
custom_attributes = kwargs.get("customAttributes", None)
if id is not None:
self.opencti.app_logger.info("Reading Threat-Actor-Individual", {"id": id})
query = (
"""
query ThreatActorIndividual($id: String!) {
threatActorIndividual(id: $id) {
"""
+ (
custom_attributes
if custom_attributes is not None
else self.properties
)
+ """
}
}
"""
)
result = self.opencti.query(query, {"id": id})
return self.opencti.process_multiple_fields(
result["data"]["threatActorIndividual"]
)
elif filters is not None:
result = self.list(filters=filters)
if len(result) > 0:
return result[0]
else:
return None
else:
self.opencti.app_logger.error(
"[opencti_threat_actor_individual] Missing parameters: id or filters"
)
return None
def create(self, **kwargs):
"""Create a Threat-Actor-Individual object
The Threat-Actor-Individual entity will only be created if it doesn't exists
By setting `update` to `True` it acts like an upsert and updates
fields of an existing Threat-Actor-Individual entity.
The create method accepts the following kwargs.
Note: `name` and `description` or `stix_id` is required.
:param str stix_id: stix2 id reference for the Threat-Actor-Individual entity
:param str createdBy: (optional) id of the organization that created the knowledge
:param list objectMarking: (optional) list of OpenCTI markin definition ids
:param list objectLabel: (optional) list of OpenCTI label ids
:param list externalReferences: (optional) list of OpenCTI external references ids
:param bool revoked: is this entity revoked
:param int confidence: confidence level
:param str lang: language
:param str created: (optional) date in OpenCTI date format
:param str modified: (optional) date in OpenCTI date format
:param str name: name of the threat actor individual
:param str description: description of the threat actor individual
:param list aliases: (optional) list of alias names for the Threat-Actor-Individual
:param list threat_actor_types: (optional) list of threat actor types
:param str first_seen: (optional) date in OpenCTI date format
:param str last_seen: (optional) date in OpenCTI date format
:param list roles: (optional) list of roles
:param list goals: (optional) list of goals
:param str sophistication: (optional) describe the actors sophistication in text
:param str resource_level: (optional) describe the actors resource_level in text
:param str primary_motivation: (optional) describe the actors primary_motivation in text
:param list secondary_motivations: (optional) describe the actors secondary_motivations in list of string
:param list personal_motivations: (optional) describe the actors personal_motivations in list of strings
:param bool update: (optional) choose to updated an existing Threat-Actor-Individual entity, default `False`
"""
stix_id = kwargs.get("stix_id", None)
created_by = kwargs.get("createdBy", None)
object_marking = kwargs.get("objectMarking", None)
object_label = kwargs.get("objectLabel", None)
external_references = kwargs.get("externalReferences", None)
revoked = kwargs.get("revoked", None)
confidence = kwargs.get("confidence", None)
lang = kwargs.get("lang", None)
created = kwargs.get("created", None)
modified = kwargs.get("modified", None)
name = kwargs.get("name", None)
description = kwargs.get("description", None)
aliases = kwargs.get("aliases", None)
threat_actor_types = kwargs.get("threat_actor_types", None)
first_seen = kwargs.get("first_seen", None)
last_seen = kwargs.get("last_seen", None)
goals = kwargs.get("goals", None)
sophistication = kwargs.get("sophistication", None)
resource_level = kwargs.get("resource_level", None)
primary_motivation = kwargs.get("primary_motivation", None)
secondary_motivations = kwargs.get("secondary_motivations", None)
personal_motivations = kwargs.get("personal_motivations", None)
x_opencti_stix_ids = kwargs.get("x_opencti_stix_ids", None)
granted_refs = kwargs.get("objectOrganization", None)
x_opencti_workflow_id = kwargs.get("x_opencti_workflow_id", None)
update = kwargs.get("update", False)
if name is not None:
self.opencti.app_logger.info(
"Creating Threat-Actor-Individual", {"name": name}
)
query = """
mutation ThreatActorIndividualAdd($input: ThreatActorIndividualAddInput!) {
threatActorIndividualAdd(input: $input) {
id
standard_id
entity_type
parent_types
}
}
"""
result = self.opencti.query(
query,
{
"input": {
"stix_id": stix_id,
"createdBy": created_by,
"objectMarking": object_marking,
"objectLabel": object_label,
"objectOrganization": granted_refs,
"externalReferences": external_references,
"revoked": revoked,
"confidence": confidence,
"lang": lang,
"created": created,
"modified": modified,
"name": name,
"description": description,
"aliases": aliases,
"threat_actor_types": threat_actor_types,
"first_seen": first_seen,
"last_seen": last_seen,
"goals": goals,
"sophistication": sophistication,
"resource_level": resource_level,
"primary_motivation": primary_motivation,
"secondary_motivations": secondary_motivations,
"personal_motivations": personal_motivations,
"x_opencti_stix_ids": x_opencti_stix_ids,
"x_opencti_workflow_id": x_opencti_workflow_id,
"update": update,
}
},
)
return self.opencti.process_multiple_fields(
result["data"]["threatActorIndividualAdd"]
)
else:
self.opencti.app_logger.error(
"[opencti_threat_actor_individual] Missing parameters: name and description"
)
"""
Import an Threat-Actor-Individual object from a STIX2 object
:param stixObject: the Stix-Object Intrusion-Set
:return Intrusion-Set object
"""
def import_from_stix2(self, **kwargs):
stix_object = kwargs.get("stixObject", None)
extras = kwargs.get("extras", {})
update = kwargs.get("update", False)
if stix_object is not None:
# Search in extensions
if "x_opencti_stix_ids" not in stix_object:
stix_object["x_opencti_stix_ids"] = (
self.opencti.get_attribute_in_extension("stix_ids", stix_object)
)
if "x_opencti_granted_refs" not in stix_object:
stix_object["x_opencti_granted_refs"] = (
self.opencti.get_attribute_in_extension("granted_refs", stix_object)
)
if "x_opencti_workflow_id" not in stix_object:
stix_object["x_opencti_workflow_id"] = (
self.opencti.get_attribute_in_extension("workflow_id", stix_object)
)
return self.create(
stix_id=stix_object["id"],
createdBy=(
extras["created_by_id"] if "created_by_id" in extras else None
),
objectMarking=(
extras["object_marking_ids"]
if "object_marking_ids" in extras
else None
),
objectLabel=(
extras["object_label_ids"] if "object_label_ids" in extras else None
),
externalReferences=(
extras["external_references_ids"]
if "external_references_ids" in extras
else None
),
revoked=stix_object["revoked"] if "revoked" in stix_object else None,
confidence=(
stix_object["confidence"] if "confidence" in stix_object else None
),
lang=stix_object["lang"] if "lang" in stix_object else None,
created=stix_object["created"] if "created" in stix_object else None,
modified=stix_object["modified"] if "modified" in stix_object else None,
name=stix_object["name"],
description=(
self.opencti.stix2.convert_markdown(stix_object["description"])
if "description" in stix_object
else None
),
aliases=self.opencti.stix2.pick_aliases(stix_object),
threat_actor_types=(
stix_object["threat_actor_types"]
if "threat_actor_types" in stix_object
else None
),
first_seen=(
stix_object["first_seen"] if "first_seen" in stix_object else None
),
last_seen=(
stix_object["last_seen"] if "last_seen" in stix_object else None
),
goals=stix_object["goals"] if "goals" in stix_object else None,
sophistication=(
stix_object["sophistication"]
if "sophistication" in stix_object
else None
),
resource_level=(
stix_object["resource_level"]
if "resource_level" in stix_object
else None
),
primary_motivation=(
stix_object["primary_motivation"]
if "primary_motivation" in stix_object
else None
),
secondary_motivations=(
stix_object["secondary_motivations"]
if "secondary_motivations" in stix_object
else None
),
personal_motivations=(
stix_object["personal_motivations"]
if "personal_motivations" in stix_object
else None
),
x_opencti_stix_ids=(
stix_object["x_opencti_stix_ids"]
if "x_opencti_stix_ids" in stix_object
else None
),
objectOrganization=(
stix_object["x_opencti_granted_refs"]
if "x_opencti_granted_refs" in stix_object
else None
),
x_opencti_workflow_id=(
stix_object["x_opencti_workflow_id"]
if "x_opencti_workflow_id" in stix_object
else None
),
update=update,
)
else:
self.opencti.app_logger.error(
"[opencti_threat_actor_individual] Missing parameters: stixObject"
)