[examples/tests/api] Added enrichment example, OpenCTIApiWork improvements and further test cases (OpenCTI-Platform#202)

* [examples] Added ask_enrichment of Observable example

* [tests] Added OpenCTIApiWork as fixture

* [pycti] Return work_id after asking for SDO enrichment

* [pycti/tests] Migrated work related functions from test utils to OpenCTIApiWork

* [tests] Folder restructuring

* [api] Work by id query implemented

* [stix2] Added mapping for integer value SimpleObservables

* [stix2] Convert SimpleObservable values to int if the key is in the INT_VALUES list

* [tests] Created simple test case for STIX object import

* [tests] Small refactoring

* [tests] Added fixtures to STIX tests

* [tests] Changed ownclass, baseclass and stixclass to snake case and format adaptions

Author: nor3th

examples/ask_enrichment_of_observable.py

@@ -0,0 +1,47 @@
+# coding: utf-8
+from pycti import OpenCTIApiClient, OpenCTIApiConnector, OpenCTIApiWork
+
+# Variables
+api_url = "https://demo.opencti.io"
+api_token = "YOUR_TOKEN"
+# Define name of INTERNAL_ENRICHMENT Connector which can enrich IPv4 addresses
+connector_name = "AbuseIPDB"
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+opencti_api_connector = OpenCTIApiConnector(opencti_api_client)
+opencti_api_work = OpenCTIApiWork(opencti_api_client)
+
+# Create the observable
+observable = opencti_api_client.stix_cyber_observable.create(
+    **{
+        "simple_observable_key": "IPv4-Addr.value",
+        "simple_observable_value": "8.8.4.4",
+    }
+)
+
+# Get connector id for defined connector name
+connector_list = opencti_api_connector.list()
+connector_names = []
+connector_id = ""
+for connector in connector_list:
+    connector_names.append(connector["name"])
+    if connector["name"] == connector_name:
+        connector_id = connector["id"]
+
+if connector_id == "":
+    print(f"Connector with name '{connector_name}' could not be found")
+    print(f"Running connectors: {connector_names}")
+    exit(0)
+
+print("Asking for enrichment... (this might take a bit to finish)")
+# Ask for enrichment
+work_id = opencti_api_client.stix_cyber_observable.ask_for_enrichment(
+    id=observable["id"], connector_id=connector_id
+)
+# Wait for connector to finish
+opencti_api_work.wait_for_work_to_finish(work_id)
+
+# Read the observable
+obs = opencti_api_client.stix_cyber_observable.read(id=observable["id"])
+print(obs)

pycti/api/opencti_api_work.py

@@ -1,4 +1,6 @@
 import logging
+import time
+from typing import Dict, List
 
 
 class OpenCTIApiWork:
@@ -72,3 +74,138 @@ def initiate_work(self, connector_id: str, friendly_name: str) -> str:
             query, {"connectorId": connector_id, "friendlyName": friendly_name}
         )
         return work["data"]["workAdd"]["id"]
+
+    def delete_work(self, work_id: str):
+        query = """
+        mutation ConnectorWorksMutation($workId: ID!) {
+            workEdit(id: $workId) {
+                delete
+            }
+        }"""
+        work = self.api.query(
+            query,
+            {"workId": work_id},
+        )
+        return work["data"]
+
+    def wait_for_work_to_finish(self, work_id: str):
+        status = ""
+        cnt = 0
+        while status != "complete":
+            state = self.get_work(work_id=work_id)
+            if len(state) > 0:
+                status = state["status"]
+
+                if state["errors"]:
+                    self.api.log(
+                        "error", f"Unexpected connector error {state['errors']}"
+                    )
+                    return ""
+
+            time.sleep(1)
+            cnt += 1
+
+    def get_work(self, work_id: str) -> Dict:
+        query = """
+        query WorkQuery($id: ID!) {
+            work(id: $id) {
+                id
+                name
+                user {
+                    name
+                }
+                timestamp
+                status
+                event_source_id
+                received_time
+                processed_time
+                completed_time
+                tracking {
+                    import_expected_number
+                    import_processed_number
+                }
+                messages {
+                    timestamp
+                    message
+                    sequence
+                    source
+                }
+                errors {
+                    timestamp
+                    message
+                    sequence
+                    source
+                }
+            }
+        }
+        """
+        result = self.api.query(
+            query,
+            {"id": work_id},
+        )
+        return result["data"]["work"]
+
+    def get_connector_works(self, connector_id: str) -> List[Dict]:
+        query = """
+        query ConnectorWorksQuery(
+            $count: Int
+            $orderBy: WorksOrdering
+            $orderMode: OrderingMode
+            $filters: [WorksFiltering]
+        ) {
+            works(
+                first: $count
+                orderBy: $orderBy
+                orderMode: $orderMode
+                filters: $filters
+            ) {
+                edges {
+                    node {
+                        id
+                        name
+                        user {
+                            name
+                        }
+                        timestamp
+                        status
+                        event_source_id
+                        received_time
+                        processed_time
+                        completed_time
+                        tracking {
+                            import_expected_number
+                            import_processed_number
+                        }
+                        messages {
+                            timestamp
+                            message
+                            sequence
+                            source
+                        }
+                        errors {
+                            timestamp
+                            message
+                            sequence
+                            source
+                        }
+                    }
+                }
+            }
+        }
+        """
+        result = self.api.query(
+            query,
+            {
+                "count": 50,
+                "filters": [
+                    {"key": "connector_id", "values": [connector_id]},
+                ],
+            },
+        )
+        result = result["data"]["works"]["edges"]
+        return_value = []
+        for node in result:
+            node = node["node"]
+            return_value.append(node)
+
+        return sorted(return_value, key=lambda i: i["timestamp"])

pycti/entities/opencti_stix_cyber_observable.py

@@ -1728,13 +1728,13 @@ def push_list_export(self, file_name, data, list_filters=""):
             },
         )
 
-    def ask_for_enrichment(self, **kwargs):
+    def ask_for_enrichment(self, **kwargs) -> str:
         id = kwargs.get("id", None)
         connector_id = kwargs.get("connector_id", None)
 
         if id is None or connector_id is None:
             self.opencti.log("error", "Missing parameters: id and connector_id")
-            return False
+            return ""
 
         query = """
             mutation StixCoreObjectEnrichmentLinesMutation($id: ID!, $connectorId: ID!) {
@@ -1746,11 +1746,12 @@ def ask_for_enrichment(self, **kwargs):
             }
             """
 
-        self.opencti.query(
+        result = self.opencti.query(
             query,
             {
                 "id": id,
                 "connectorId": connector_id,
             },
         )
-        return True
+        # return work_id
+        return result["data"]["stixCoreObjectEdit"]["askEnrichment"]["id"]

pycti/utils/opencti_stix2.py

@@ -15,6 +15,7 @@
 from pycti.utils.constants import IdentityTypes, LocationTypes, StixCyberObservableTypes
 from pycti.utils.opencti_stix2_splitter import OpenCTIStix2Splitter
 from pycti.utils.opencti_stix2_update import OpenCTIStix2Update
+from pycti.utils.opencti_stix2_utils import OBSERVABLES_VALUE_INT
 
 datefinder.ValueError = ValueError, OverflowError
 utc = pytz.UTC
@@ -665,10 +666,13 @@ def import_observable(
             "reports": reports,
         }
         if stix_object["type"] == "x-opencti-simple-observable":
+            print(stix_object)
             stix_observable_result = self.opencti.stix_cyber_observable.create(
                 simple_observable_id=stix_object["id"],
                 simple_observable_key=stix_object["key"],
-                simple_observable_value=stix_object["value"],
+                simple_observable_value=stix_object["value"]
+                if stix_object["key"] not in OBSERVABLES_VALUE_INT
+                else int(stix_object["value"]),
                 simple_observable_description=stix_object["description"]
                 if "description" in stix_object
                 else None,

pycti/utils/opencti_stix2_utils.py

@@ -36,6 +36,12 @@
     "X-OpenCTI-Hostname": ["value"],
 }
 
+OBSERVABLES_VALUE_INT = [
+    "Autonomous-System.number",
+    "Network-Traffic.dst_port",
+    "Process.pid",
+]
+
 
 class OpenCTIStix2Utils:
     @staticmethod