[client] Fix the export of incident

Samuel Hassine · Samuel Hassine · commit 08e374fde65a · 2019-12-04T19:52:01.000+01:00
diff --git a/examples/add_organization_to_sector.py b/examples/add_organization_to_sector.py
@@ -6,7 +6,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/create_incident_with_ttps_and_observables.py b/examples/create_incident_with_ttps_and_observables.py
@@ -6,22 +6,26 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_url = 'http://localhost:4000'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
 
 # Define the date
 date = parse('2019-12-01').strftime('%Y-%m-%dT%H:%M:%SZ')
 
+# Prepare all the elements of the report
+object_refs = []
+
 # Create the incident
 incident = opencti_api_client.incident.create(
     name="My new incident",
     description="We have been compromised",
     objective="Espionage"
 )
 print(incident)
+object_refs.append(incident['id'])
 
 # Create the associated report
 report = opencti_api_client.report.create(
@@ -32,9 +36,6 @@
 )
 print(report)
 
-# Prepare all the elements of the report
-object_refs = []
-
 # Associate the TTPs to the incident
 
 # Spearphishing Attachment
@@ -43,7 +44,7 @@
 ttp1_relation = opencti_api_client.stix_relation.create(
     fromType='Incident',
     fromId=incident['id'],
-    toType='Incident',
+    toType='Attack-Pattern',
     toId=ttp1['id'],
     relationship_type='uses',
     description='We saw the attacker use Spearphishing Attachment.',
@@ -56,11 +57,24 @@
         id=ttp1_relation['id'],
         kill_chain_phase_id=kill_chain_phase_id
     )
-# Add observables to the relation
+
+# Create the observable
 observable_ttp1 = opencti_api_client.stix_observable.create(
-    type='Email-Addr',
+    type='Email-Address',
     observable_value='phishing@mail.com'
 )
+# Indicates the incident itself
+observable_ttp1_incident_relation = opencti_api_client.stix_relation.create(
+    fromType='Stix-Observable',
+    fromId=observable_ttp1['id'],
+    toType='Incident',
+    toId=incident['id'],
+    relationship_type='indicates',
+    description='This email address is the sender of the spearphishing in this incident.',
+    first_seen=date,
+    last_seen=date
+)
+# Indicates the relation Incident => uses => TTP
 observable_ttp1_relation = opencti_api_client.stix_relation.create(
     fromType='Stix-Observable',
     fromId=observable_ttp1['id'],
@@ -72,7 +86,12 @@
     last_seen=date
 )
 # Elements for the report
-object_refs.extend([ttp1['id'], ttp1_relation['id'], observable_ttp1['id'], observable_ttp1_relation['id']])
+object_refs.extend([
+    ttp1['id'],
+    ttp1_relation['id'],
+    observable_ttp1['id'],
+    observable_ttp1_incident_relation['id']
+])
 
 # Registry Run Keys / Startup Folder
 ttp2 = opencti_api_client.attack_pattern.read(filters=[{'key': 'external_id', 'values': ['T1060']}])
@@ -81,7 +100,7 @@
 ttp2_relation = opencti_api_client.stix_relation.create(
     fromType='Incident',
     fromId=incident['id'],
-    toType='Incident',
+    toType='Attack-Pattern',
     toId=ttp2['id'],
     relationship_type='uses',
     description='We saw the attacker use Registry Run Keys / Startup Folder.',
@@ -99,6 +118,18 @@
     type='Registry-Key',
     observable_value='Disk security'
 )
+# Indicates the incident itself
+observable_ttp2_incident_relation = opencti_api_client.stix_relation.create(
+    fromType='Stix-Observable',
+    fromId=observable_ttp2['id'],
+    toType='Incident',
+    toId=incident['id'],
+    relationship_type='indicates',
+    description='This registry key is used for persistence of tools in this incident.',
+    first_seen=date,
+    last_seen=date
+)
+# Indicates the relation Incident => uses => TTP
 observable_ttp2_relation = opencti_api_client.stix_relation.create(
     fromType='Stix-Observable',
     fromId=observable_ttp2['id'],
@@ -110,15 +141,20 @@
     last_seen=date
 )
 # Elements for the report
-object_refs.extend([ttp2['id'], ttp2_relation['id'], observable_ttp2['id'], observable_ttp2_relation['id']])
+object_refs.extend([
+    ttp2['id'],
+    ttp2_relation['id'],
+    observable_ttp2['id'],
+    observable_ttp2_incident_relation['id']
+])
 
 # Data Encrypted
 ttp3 = opencti_api_client.attack_pattern.read(filters=[{'key': 'external_id', 'values': ['T1022']}])
 print(ttp3)
 ttp3_relation = opencti_api_client.stix_relation.create(
     fromType='Incident',
     fromId=incident['id'],
-    toType='Incident',
+    toType='Attack-Pattern',
     toId=ttp3['id'],
     relationship_type='uses',
     description='We saw the attacker use Data Encrypted.',
diff --git a/examples/create_intrusion_set.py b/examples/create_intrusion_set.py
@@ -5,7 +5,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/export_intrusion_set_stix2.py b/examples/export_intrusion_set_stix2.py
@@ -5,7 +5,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/export_report_stix2.py b/examples/export_report_stix2.py
@@ -4,14 +4,14 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_url = 'http://localhost:4000'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
 
 # Get the report
-report = opencti_api_client.report.read(id='b52201d6-8da3-4e98-a3f5-e53318d8fb52')
+report = opencti_api_client.report.read(id='f465e240-9bfe-41dd-888c-70d7d85143c1')
 
 # Create the bundle
 bundle = opencti_api_client.stix2.export_entity('report', report['id'], 'full')
diff --git a/examples/get_attack_pattern_by_mitre_id.py b/examples/get_attack_pattern_by_mitre_id.py
@@ -4,7 +4,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/get_malwares_of_intrusion_set.py b/examples/get_malwares_of_intrusion_set.py
@@ -4,7 +4,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/get_marking_definitions.py b/examples/get_marking_definitions.py
@@ -4,7 +4,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/get_reports_about_intrusion_set.py b/examples/get_reports_about_intrusion_set.py
@@ -4,7 +4,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/examples/import_stix2_file.py b/examples/import_stix2_file.py
@@ -4,7 +4,7 @@
 
 # Variables
 api_url = 'https://demo.opencti.io'
-api_token = 'ab3c02bb-2849-4223-be5d-8f61207b4b43'
+api_token = 'c2d944bb-aea6-4bd6-b3d7-6c10451e2256'
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/pycti/api/opencti_api_client.py b/pycti/api/opencti_api_client.py
@@ -2157,10 +2157,9 @@ def resolve_role(self, relation_type, from_type, to_type):
         from_type = 'observable' if (
                 (ObservableTypes.has_value(from_type) and (
                         relation_type == 'indicates' or relation_type == 'localization' or relation_type == 'gathering')
-                 ) or from_type == 'Stix-Observable'
+                 ) or from_type == 'stix-observable'
         ) else from_type
         to_type = to_type.lower()
-
         mapping = {
             'uses': {
                 'threat-actor': {
@@ -2308,6 +2307,7 @@ def resolve_role(self, relation_type, from_type, to_type):
                     'threat-actor': {'from_role': 'indicator', 'to_role': 'characterize'},
                     'intrusion-set': {'from_role': 'indicator', 'to_role': 'characterize'},
                     'campaign': {'from_role': 'indicator', 'to_role': 'characterize'},
+                    'incident': {'from_role': 'indicator', 'to_role': 'characterize'},
                     'malware': {'from_role': 'indicator', 'to_role': 'characterize'},
                     'tool': {'from_role': 'indicator', 'to_role': 'characterize'},
                     'stix_relation': {'from_role': 'indicator', 'to_role': 'characterize'},
diff --git a/pycti/utils/opencti_stix2.py b/pycti/utils/opencti_stix2.py
@@ -724,7 +724,7 @@ def export_entity(self, entity_type, entity_id, mode='simple', max_marking_defin
             'threat-actor': self.opencti.threat_actor.to_stix2,
             'intrusion-set': self.opencti.intrusion_set.to_stix2,
             'campaign': self.opencti.campaign.to_stix2,
-            'x-opencti-incident': self.opencti.incident.to_stix2,
+            'incident': self.opencti.incident.to_stix2,
             'malware': self.opencti.malware.to_stix2,
             'tool': self.opencti.tool.to_stix2,
             'vulnerability': self.opencti.vulnerability.to_stix2,
@@ -736,11 +736,19 @@ def export_entity(self, entity_type, entity_id, mode='simple', max_marking_defin
             entity_type,
             lambda **kwargs: self.unknown_type({'type': entity_type})
         )
-        bundle['objects'] = do_export(
+        objects = do_export(
             id=entity_id,
             mode=mode,
             max_marking_definition_entity=max_marking_definition_entity
         )
+        for object in objects:
+            object['id'] = object['id'].replace('observable', 'indicator')
+            if 'source_ref' in object:
+                object['source_ref'] = object['source_ref'].replace('observable', 'indicator')
+            if 'target_ref' in object:
+                object['target_ref'] = object['target_ref'].replace('observable', 'indicator')
+            bundle['objects'].append(object)
+
         return bundle
 
     def export_bundle(self, types=[]):
@@ -972,7 +980,7 @@ def prepare_export(self, entity, stix_object, mode='simple', max_marking_definit
                 'threat-actor': self.opencti.threat_actor.to_stix2,
                 'intrusion-set': self.opencti.intrusion_set.to_stix2,
                 'campaign': self.opencti.campaign.to_stix2,
-                'x-opencti-incident': self.opencti.incident.to_stix2,
+                'incident': self.opencti.incident.to_stix2,
                 'malware': self.opencti.malware.to_stix2,
                 'tool': self.opencti.tool.to_stix2,
                 'vulnerability': self.opencti.vulnerability.to_stix2,
@@ -992,13 +1000,12 @@ def prepare_export(self, entity, stix_object, mode='simple', max_marking_definit
                 result = result + entity_object_bundle
             for observable_object in observables_to_get:
                 observable_object_data = self.export_stix_observable(
-                    self.opencti.process_multiple_fields(
-                        self.opencti.get_stix_observable_by_id(observable_object['id'])
-                    )
+                    self.opencti.stix_observable.read(id=observable_object['id'])
                 )
-                observable_object_bundle = self.filter_objects(uuids, observable_object_data)
-                uuids = uuids + [x['id'] for x in observable_object_bundle]
-                result = result + observable_object_bundle
+                if observable_object_data is not None:
+                    observable_object_bundle = self.filter_objects(uuids, observable_object_data)
+                    uuids = uuids + [x['id'] for x in observable_object_bundle]
+                    result = result + observable_object_bundle
             for relation_object in relations_to_get:
                 relation_object_data = self.opencti.stix_relation.to_stix2(id=relation_object['id'])
                 relation_object_bundle = self.filter_objects(uuids, relation_object_data)
@@ -1234,7 +1241,10 @@ def export_stix_observable(self, entity):
                     first_seen = relation_first_seen
             stix_observable['valid_from'] = self.format_date(first_seen)
         final_stix_observable = self.prepare_observable(entity, stix_observable)
-        return self.prepare_export(entity, final_stix_observable)
+        if final_stix_observable is not None:
+            return self.prepare_export(entity, final_stix_observable)
+        else:
+            return None
 
     def create_indicator(self, stix_object, update=False):
         indicator_type = None
@@ -1327,16 +1337,31 @@ def prepare_observable(self, entity, stix_observable):
         else:
             observable_type = entity['entity_type']
 
-        if observable_type == 'file':
-            lhs = ObjectPath(observable_type, ['hashes', entity['entity_type'].split('-')[1].upper()])
-            ece = ObservationExpression(EqualityComparisonExpression(lhs, HashConstant(entity['observable_value'],
-                                                                                       entity['entity_type'].split('-')[
-                                                                                           1].upper())))
-        if observable_type == 'ipv4-addr' or observable_type == 'ipv6-addr' or observable_type == 'domain_name' or observable_type == 'url':
-            lhs = ObjectPath(observable_type, ["value"])
-            ece = ObservationExpression(EqualityComparisonExpression(lhs, entity['observable_value']))
-        stix_observable['pattern'] = str(ece)
-        return stix_observable
+        try:
+            if observable_type == 'file':
+                lhs = ObjectPath(observable_type, ['hashes', entity['entity_type'].split('-')[1].upper()])
+                ece = ObservationExpression(
+                    EqualityComparisonExpression(
+                        lhs,
+                        HashConstant(
+                            entity['observable_value'],
+                            entity['entity_type'].split('-')[1].upper())
+                    )
+                )
+            else:
+                lhs = ObjectPath(observable_type, ["value"])
+                ece = ObservationExpression(
+                    EqualityComparisonExpression(
+                        lhs,
+                        entity['observable_value'])
+                )
+        except:
+            ece = None
+        if ece is not None:
+            stix_observable['pattern'] = str(ece)
+            return stix_observable
+        else:
+            return None
 
     def get_author(self, name):
         if name in self.mapping_cache:
diff --git a/setup.py b/setup.py
@@ -13,7 +13,7 @@
     print("warning: pypandoc module not found, could not convert Markdown to RST")
     read_md = lambda f: open(f, 'r').read()
 
-VERSION = "2.1.0"
+VERSION = "2.1.1"
 
 
 class VerifyVersionCommand(install):
