|
1 | 1 | # coding: utf-8 |
2 | 2 |
|
3 | 3 | import datetime |
| 4 | +from dateutil.parser import parse |
4 | 5 |
|
5 | 6 | from pycti import OpenCTIApiClient |
6 | 7 |
|
7 | 8 | # Variables |
8 | | -api_url = 'http://localhost:4000' |
| 9 | +api_url = 'https://demo.opencti.io' |
9 | 10 | api_token = '22566f94-9091-49ba-b583-efd76cf8b29c' |
10 | 11 |
|
11 | 12 | # OpenCTI initialization |
12 | 13 | opencti_api_client = OpenCTIApiClient(api_url, api_token) |
13 | 14 |
|
| 15 | +# Define the date |
| 16 | +date = parse('2019-12-01').strftime('%Y-%m-%dT%H:%M:%SZ') |
| 17 | + |
14 | 18 | # Create the incident |
15 | 19 | incident = opencti_api_client.incident.create( |
16 | 20 | name="My new incident", |
|
23 | 27 | report = opencti_api_client.report.create( |
24 | 28 | name="Report about my new incident", |
25 | 29 | description="Forensics and investigation report", |
26 | | - published=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ'), |
| 30 | + published=date, |
27 | 31 | report_class="Internal Report" |
28 | 32 | ) |
29 | 33 | print(report) |
|
43 | 47 | toId=ttp1['id'], |
44 | 48 | relationship_type='uses', |
45 | 49 | description='We saw the attacker use Spearphishing Attachment.', |
46 | | - first_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ'), |
47 | | - last_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ') |
| 50 | + first_seen=date, |
| 51 | + last_seen=date |
48 | 52 | ) |
49 | 53 | # Add kill chain phases to the relation |
50 | 54 | for kill_chain_phase_id in ttp1['killChainPhasesIds']: |
|
64 | 68 | toId=ttp1_relation['id'], |
65 | 69 | relationship_type='indicates', |
66 | 70 | description='This email address is the sender of the spearphishing.', |
67 | | - first_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ'), |
68 | | - last_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ') |
| 71 | + first_seen=date, |
| 72 | + last_seen=date |
69 | 73 | ) |
70 | 74 | # Elements for the report |
71 | 75 | object_refs.extend([ttp1['id'], ttp1_relation['id'], observable_ttp1['id'], observable_ttp1_relation['id']]) |
|
81 | 85 | toId=ttp2['id'], |
82 | 86 | relationship_type='uses', |
83 | 87 | description='We saw the attacker use Registry Run Keys / Startup Folder.', |
84 | | - first_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ'), |
85 | | - last_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ') |
| 88 | + first_seen=date, |
| 89 | + last_seen=date |
86 | 90 | ) |
87 | 91 | # Add kill chain phases to the relation |
88 | 92 | for kill_chain_phase_id in ttp2['killChainPhasesIds']: |
|
102 | 106 | toId=ttp2_relation['id'], |
103 | 107 | relationship_type='indicates', |
104 | 108 | description='This registry key is used for persistence of tools.', |
105 | | - first_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ'), |
106 | | - last_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ') |
| 109 | + first_seen=date, |
| 110 | + last_seen=date |
107 | 111 | ) |
108 | 112 | # Elements for the report |
109 | 113 | object_refs.extend([ttp2['id'], ttp2_relation['id'], observable_ttp2['id'], observable_ttp2_relation['id']]) |
|
118 | 122 | toId=ttp3['id'], |
119 | 123 | relationship_type='uses', |
120 | 124 | description='We saw the attacker use Data Encrypted.', |
121 | | - first_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ'), |
122 | | - last_seen=datetime.datetime.today().strftime('%Y-%m-%dT%H:%M:%SZ') |
| 125 | + first_seen=date, |
| 126 | + last_seen=date |
123 | 127 | ) |
124 | 128 | # Add kill chain phases to the relation |
125 | 129 | for kill_chain_phase_id in ttp3['killChainPhasesIds']: |
|
132 | 136 |
|
133 | 137 | # Add all element to the report |
134 | 138 | for object_ref in object_refs: |
135 | | - opencti_api_client.report.add_stix_entity(id=report['id'], entity_id=object_ref) |
| 139 | + opencti_api_client.report.add_stix_entity(id=report['id'], report=report, entity_id=object_ref) |
0 commit comments