Refactor the client (OpenCTI-Platform#14)

* [client] Start refactoring and adapt to new version

* [client] Migrate the Python Client

* [client] Add more examples

* [client] End of refactor for new version

* [client] End of refactor for new version

Author: Samuel Hassine

.gitignore

@@ -7,4 +7,5 @@ pycti.egg-info
 logs
 test.py
 .idea
-*.iml
+*.iml
+examples/*.json

examples/config.yml.sample

@@ -0,0 +1,23 @@
+# coding: utf-8
+
+import datetime
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Create the Intrusion Set
+intrusion_set = opencti_api_client.intrusion_set.create_or_update(
+    name='My new Intrusion Set',
+    description='Evil Cluster',
+    first_seen=datetime.date.today().strftime('%Y-%m-%dT%H:%M:%S+00:00'),
+    last_seen=datetime.date.today().strftime('%Y-%m-%dT%H:%M:%S+00:00'),
+    update=True
+)
+
+# Print
+print(intrusion_set)

examples/create_intrusion_set.py

@@ -0,0 +1,23 @@
+# coding: utf-8
+
+import json
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Get the intrusion set APT28
+intrusion_set = opencti_api_client.intrusion_set.read(filters=[{'key': 'name', 'values': ['APT28']}])
+
+# Create the bundle
+bundle = opencti_api_client.stix2.export_entity('intrusion-set', intrusion_set['id'], 'full')
+json_bundle = json.dumps(bundle, indent=4)
+
+# Write the bundle
+f = open('APT28_STIX2.json', 'w')
+f.write(json_bundle)
+f.close()

examples/export_intrusion_set_stix2.py

@@ -0,0 +1,23 @@
+# coding: utf-8
+
+import json
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Get the report
+report = opencti_api_client.report.read(id='b52201d6-8da3-4e98-a3f5-e53318d8fb52')
+
+# Create the bundle
+bundle = opencti_api_client.stix2.export_entity('report', report['id'], 'full')
+json_bundle = json.dumps(bundle, indent=4)
+
+# Write the bundle
+f = open('Unit42_Sofacy.json', 'w')
+f.write(json_bundle)
+f.close()

examples/export_report_stix2.py

@@ -0,0 +1,20 @@
+# coding: utf-8
+
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Get the intrusion set APT28
+intrusion_set = opencti_api_client.intrusion_set.read(filters=[{'key': 'name', 'values': ['APT28']}])
+
+# Get the relations from APT28 to malwares
+stix_relations = opencti_api_client.stix_relation.list(fromId=intrusion_set['id'], toTypes=['Malware'])
+
+# Print
+for stix_relation in stix_relations:
+    print('[' + stix_relation['to']['stix_id_key'] + '] ' + stix_relation['to']['name'])

examples/get_malwares_of_intrusion_set.py

@@ -0,0 +1,17 @@
+# coding: utf-8
+
+from pycti import OpenCTIApiClient, MarkingDefinition
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Get all marking definitions
+marking_definitions = opencti_api_client.marking_definition.list()
+
+# Print
+for marking_definition in marking_definitions:
+    print('[' + marking_definition['definition_type'] + '] ' + marking_definition['definition'])

examples/get_marking_definitions.py

@@ -0,0 +1,24 @@
+# coding: utf-8
+
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# Get the intrusion set APT28
+intrusion_set = opencti_api_client.intrusion_set.read(filters=[{'key': 'name', 'values': ['APT28']}])
+
+# Get all reports
+reports = opencti_api_client.report.list(
+    filters=[{'key': 'knowledgeContains', 'values': [intrusion_set['id']]}],
+    orderBy='published',
+    orderMode='asc'
+)
+
+# Print
+for report in reports:
+    print('[' + report['stix_id_key'] + '] ' + report['name'] + ' (' + report['published'] + ')')

examples/get_reports_about_intrusion_set.py

@@ -0,0 +1,16 @@
+# coding: utf-8
+
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = '22566f94-9091-49ba-b583-efd76cf8b29c'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)
+
+# File to import
+file_to_import = './enterprise-attack.json'
+
+# Import the bundle
+opencti_api_client.stix2.import_bundle_from_file(file_to_import, True)

examples/import_stix2_file.py

@@ -6,6 +6,25 @@
 from pycti.connector.opencti_connector import OpenCTIConnector
 from pycti.connector.opencti_connector_helper import OpenCTIConnectorHelper
 
+from pycti.entities.opencti_marking_definition import MarkingDefinition
+from pycti.entities.opencti_external_reference import ExternalReference
+from pycti.entities.opencti_kill_chain_phase import KillChainPhase
+from pycti.entities.opencti_stix_entity import StixEntity
+from pycti.entities.opencti_stix_domain_entity import StixDomainEntity
+from pycti.entities.opencti_stix_observable import StixObservable
+from pycti.entities.opencti_stix_relation import StixRelation
+from pycti.entities.opencti_identity import Identity
+from pycti.entities.opencti_threat_actor import ThreatActor
+from pycti.entities.opencti_intrusion_set import IntrusionSet
+from pycti.entities.opencti_campaign import Campaign
+from pycti.entities.opencti_incident import Incident
+from pycti.entities.opencti_malware import Malware
+from pycti.entities.opencti_tool import Tool
+from pycti.entities.opencti_vulnerability import Vulnerability
+from pycti.entities.opencti_attack_pattern import AttackPattern
+from pycti.entities.opencti_course_of_action import CourseOfAction
+from pycti.entities.opencti_report import Report
+
 from pycti.utils.opencti_stix2 import OpenCTIStix2
 from pycti.utils.constants import ObservableTypes
 from pycti.utils.constants import CustomProperties