[client] Migration to STIX 2.1, IDs generation rules (new schema, OpenCTI v4) (OpenCTI-Platform#105)

Author: Samuel Hassine

docs/pycti/pycti.entities.opencti_stix_domain_entity.rst

@@ -1,10 +1,10 @@
 =============================================
-``pycti.entities.opencti_stix_domain_entity``
+``pycti.entities.opencti_stix_domain_object``
 =============================================
 
-.. automodule:: pycti.entities.opencti_stix_domain_entity
+.. automodule:: pycti.entities.opencti_stix_domain_object
 
    .. contents::
       :local:
 
-.. currentmodule:: pycti.entities.opencti_stix_domain_entity
+.. currentmodule:: pycti.entities.opencti_stix_domain_object

docs/pycti/pycti.entities.rst

@@ -27,7 +27,7 @@ Submodules
    pycti.entities.opencti_note
    pycti.entities.opencti_opinion
    pycti.entities.opencti_report
-   pycti.entities.opencti_stix_domain_entity
+   pycti.entities.opencti_stix_domain_object
    pycti.entities.opencti_stix_entity
    pycti.entities.opencti_stix_observable
    pycti.entities.opencti_stix_observable_relation

examples/add_external_reference_to_report.py

@@ -27,7 +27,7 @@
 )
 
 # Add the external reference to the report
-opencti_api_client.stix_entity.add_external_reference(
+opencti_api_client.stix_domain_object.add_external_reference(
     id=report["id"], external_reference_id=external_reference["id"]
 )
 

examples/add_tag_to_malware.py

@@ -15,12 +15,12 @@
 )
 
 # Create the tag (if not exists)
-tag = opencti_api_client.tag.create(
+tag = opencti_api_client.label.create(
     tag_type="Malware-Type", value="Ranswomware", color="#ffa500",
 )
 
 # Add the tag
-opencti_api_client.stix_entity.add_tag(id=malware["id"], tag_id=tag["id"])
+opencti_api_client.stix_domain_object.add_tag(id=malware["id"], tag_id=tag["id"])
 
 # Print
 malware = opencti_api_client.malware.read(id=malware["id"])

examples/create_file_with_hashes.py

@@ -0,0 +1,24 @@
+# coding: utf-8
+
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = "https://demo.opencti.io"
+api_token = "2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2"
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Create observable
+observable = opencti_api_client.stix_cyber_observable.create(
+    observableData={
+        "type": "file",
+        "hashes": {
+            "md5": "16b3f663d0f0371a4706642c6ac04e42",
+            "sha1": "3a1f908941311fc357051b5c35fd2a4e0c834e37",
+            "sha256": "bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56",
+        },
+    }
+)
+
+print(observable)

examples/create_hashes_and_link_together.py

@@ -57,7 +57,7 @@
 
 # Create the observable and indicator and indicates to the relation
 # Create the observable
-observable_ttp1 = opencti_api_client.stix_observable.create(
+observable_ttp1 = opencti_api_client.stix_cyber_observable.create(
     type="Email-Address", observable_value="phishing@mail.com", createIndicator=True
 )
 # Get the indicator
@@ -108,7 +108,7 @@
 
 # Create the observable and indicator and indicates to the relation
 # Create the observable
-observable_ttp2 = opencti_api_client.stix_observable.create(
+observable_ttp2 = opencti_api_client.stix_cyber_observable.create(
     type="Registry-Key", observable_value="Disk security", createIndicator=True
 )
 # Get the indicator
@@ -159,7 +159,7 @@
 
 # Add all element to the report
 for object_ref in object_refs:
-    opencti_api_client.report.add_stix_entity(
+    opencti_api_client.report.add_opencti_stix_object_or_stix_relationship(
         id=report["id"], report=report, entity_id=object_ref
     )
 for observable_ref in observable_refs:

examples/create_incident_with_ttps_and_indicators.py

@@ -49,10 +49,10 @@
 print(relation)
 
 # Create the observables (optional)
-observable_1 = opencti_api_client.stix_observable.create(
+observable_1 = opencti_api_client.stix_cyber_observable.create(
     type="Domain", observable_value="www.5z8.info"
 )
-observable_2 = opencti_api_client.stix_observable.create(
+observable_2 = opencti_api_client.stix_cyber_observable.create(
     type="IPv4-Addr", observable_value="198.51.100.1"
 )
 # Create the relation between observables and the indicator

examples/create_indicator_of_campaign.py

@@ -11,7 +11,10 @@
 
 # Create the marking definition
 marking_definition = opencti_api_client.marking_definition.create(
-    definition_type="TLP", definition="TLP:BLACK", level=10, color="#000000"
+    definition_type="TLP",
+    definition="TLP:BLACK",
+    x_opencti_order=10,
+    x_opencti_color="#000000",
 )
 
 # Print

examples/create_marking_definition.py

@@ -26,8 +26,8 @@
     name="My new report of my organization",
     description="A report wrote by my organization",
     published=date,
-    report_class="Internal Report",
-    createdByRef=organization["id"],
+    report_types=["internal-report"],
+    createdBy=organization["id"],
 )
 
 # Print

examples/create_report_with_author.py

@@ -15,4 +15,4 @@
 )
 
 # Delete the intrusion set
-opencti_api_client.stix_domain_entity.delete(id=intrusion_set["id"])
+opencti_api_client.stix_domain_object.delete(id=intrusion_set["id"])

examples/delete_intrusion_set.py

@@ -20,14 +20,14 @@
 )
 
 # Get the relations between APT28 and DealersChoice
-relations = opencti_api_client.stix_relation.list(
+relations = opencti_api_client.stix_core_relationship.list(
     fromId=intrusion_set["id"],
     fromTypes=["Intrusion-Set"],
     toId=malware["id"],
     toTypes=["Malware"],
-    relationType="uses",
+    relationship_type="uses",
 )
 
 # Delete the relations
 for relation in relations:
-    opencti_api_client.stix_relation.delete(id=relation["id"])
+    opencti_api_client.stix_core_relationship.delete(id=relation["id"])

examples/delete_relation.py

@@ -10,18 +10,13 @@
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
 
-# Get the intrusion set APT28
-intrusion_set = opencti_api_client.intrusion_set.read(
-    filters=[{"key": "name", "values": ["APT28"]}]
-)
-
 # Create the bundle
 bundle = opencti_api_client.stix2.export_entity(
-    "indicator", "356fea34-f7f5-4110-937c-47c9a5abb8fa", "full"
+    "Intrusion-Set", "4ecc2f52-d10a-4e10-bb9b-1ab5df2b282e", "full"
 )
 json_bundle = json.dumps(bundle, indent=4)
 
 # Write the bundle
-f = open("APT28_STIX2.json", "w")
+f = open("intrusion-set.json", "w")
 f.write(json_bundle)
 f.close()

examples/export_intrusion_set_stix2.py

@@ -10,11 +10,10 @@
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
 
-# Get the report
-report = opencti_api_client.report.read(id="5a3878d7-2949-4fd9-87c7-2a38c65bfa59")
-
 # Create the bundle
-bundle = opencti_api_client.stix2.export_entity("report", report["id"], "full")
+bundle = opencti_api_client.stix2.export_entity(
+    "Report", "e7c349a7-9809-4e98-87a2-ad39f32aef19", "full"
+)
 json_bundle = json.dumps(bundle, indent=4)
 
 # Write the bundle

examples/export_report_stix2.py

@@ -10,7 +10,7 @@
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
 
 # Get the ANSSI entity
-anssi = opencti_api_client.stix_domain_entity.get_by_stix_id_or_name(name="ANSSI")
+anssi = opencti_api_client.stix_domain_object.get_by_stix_id_or_name(name="ANSSI")
 
 # Print
 print(anssi)

examples/get_entity_by_name_or_alias.py

@@ -15,10 +15,10 @@
 )
 
 # Get the relations from APT28 to malwares
-stix_relations = opencti_api_client.stix_relation.list(
+stix_relations = opencti_api_client.stix_core_relationship.list(
     fromId=intrusion_set["id"], toTypes=["Malware"], inferred=True
 )
 
 # Print
 for stix_relation in stix_relations:
-    print("[" + stix_relation["to"]["stix_id_key"] + "] " + stix_relation["to"]["name"])
+    print("[" + stix_relation["to"]["stix_id"] + "] " + stix_relation["to"]["name"])

examples/get_malwares_of_intrusion_set.py

@@ -16,7 +16,7 @@
 
 # Get all reports
 reports = opencti_api_client.report.list(
-    filters=[{"key": "knowledgeContains", "values": [intrusion_set["id"]]}],
+    filters=[{"key": "objectContains", "values": [intrusion_set["id"]]}],
     orderBy="published",
     orderMode="asc",
 )
@@ -25,7 +25,7 @@
 for report in reports:
     print(
         "["
-        + report["stix_id_key"]
+        + report["stix_id"]
         + "] "
         + report["name"]
         + " ("

examples/get_reports_about_intrusion_set.py

@@ -10,7 +10,7 @@
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
 
 # File to import
-file_to_import = "./test.json"
+file_to_import = "./enterprise-attack.json"
 
 # Import the bundle
 opencti_api_client.stix2.import_bundle_from_file(file_to_import, True)

examples/import_stix2_file.py

@@ -15,6 +15,6 @@
 )
 
 # Update the description
-opencti_api_client.stix_domain_entity.update_field(
+opencti_api_client.stix_domain_object.update_field(
     id=intrusion_set["id"], key="description", value="This is APT28!"
 )

examples/update_entity_attribute.py

@@ -23,7 +23,7 @@
 print(intrusion_set)
 
 # Upload the file
-file = opencti_api_client.stix_domain_entity.add_file(
+file = opencti_api_client.stix_domain_object.add_file(
     id=intrusion_set["id"], file_name="./file.pdf",
 )
 print(file)