[client] Add more examples

Author: Samuel Hassine

examples/create_incident_with_ttps_and_indicators.py

@@ -25,7 +25,6 @@
     description="We have been compromised",
     objective="Espionage"
 )
-print(incident)
 object_refs.append(incident['id'])
 # Create the associated report
 report = opencti_api_client.report.create(
@@ -34,13 +33,11 @@
     published=date,
     report_class="Internal Report"
 )
-print(report)
 
 # Associate the TTPs to the incident
 
 # Spearphishing Attachment
 ttp1 = opencti_api_client.attack_pattern.read(filters=[{'key': 'external_id', 'values': ['T1193']}])
-print(ttp1)
 ttp1_relation = opencti_api_client.stix_relation.create(
     fromType='Incident',
     fromId=incident['id'],
@@ -64,10 +61,8 @@
     type='Email-Address',
     observable_value='phishing@mail.com'
 )
-print(observable_ttp1)
 # Get the indicator
 indicator_ttp1 = observable_ttp1['indicators'][0]
-print(indicator_ttp1)
 # Indicates the relation Incident => uses => TTP
 indicator_ttp1_relation = opencti_api_client.stix_relation.create(
     fromType='Indicator',
@@ -91,7 +86,6 @@
 
 # Registry Run Keys / Startup Folder
 ttp2 = opencti_api_client.attack_pattern.read(filters=[{'key': 'external_id', 'values': ['T1060']}])
-print(ttp2)
 # Create the relation
 ttp2_relation = opencti_api_client.stix_relation.create(
     fromType='Incident',
@@ -116,10 +110,8 @@
     type='Registry-Key',
     observable_value='Disk security'
 )
-print(observable_ttp2)
 # Get the indicator
 indicator_ttp2 = observable_ttp2['indicators'][0]
-print(indicator_ttp2)
 # Indicates the relation Incident => uses => TTP
 indicator_ttp2_relation = opencti_api_client.stix_relation.create(
     fromType='Indicator',
@@ -142,7 +134,6 @@
 
 # Data Encrypted
 ttp3 = opencti_api_client.attack_pattern.read(filters=[{'key': 'external_id', 'values': ['T1022']}])
-print(ttp3)
 ttp3_relation = opencti_api_client.stix_relation.create(
     fromType='Incident',
     fromId=incident['id'],
@@ -166,4 +157,14 @@
 for object_ref in object_refs:
     opencti_api_client.report.add_stix_entity(id=report['id'], report=report, entity_id=object_ref)
 for observable_ref in observable_refs:
-    opencti_api_client.report.add_stix_observable(id=report['id'], report=report, stix_observable_id=observable_ref)
+    opencti_api_client.report.add_stix_observable(id=report['id'], report=report, stix_observable_id=observable_ref)
+    opencti_api_client.stix_relation.create(
+        fromType='Stix-Observable',
+        fromId=observable_ref,
+        toType='Incident',
+        toId=incident['id'],
+        relationship_type='related-to',
+        description='This observable is related to the incident.',
+        first_seen=date,
+        last_seen=date
+    )

examples/export_async_of_indicators.py

@@ -4,7 +4,7 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'http://localhost:4000'
+api_url = 'https://demo.opencti.io'
 api_token = 'bb4aca90-b98c-49ee-9582-7eac92b61b82'
 
 # OpenCTI initialization

examples/export_async_of_malware.py

@@ -4,7 +4,7 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'http://localhost:4000'
+api_url = 'https://demo.opencti.io'
 api_token = 'bb4aca90-b98c-49ee-9582-7eac92b61b82'
 
 # OpenCTI initialization

examples/export_incident_stix2.py

@@ -4,7 +4,7 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'http://localhost:4000'
+api_url = 'https://demo.opencti.io'
 api_token = 'bb4aca90-b98c-49ee-9582-7eac92b61b82'
 
 # OpenCTI initialization

examples/export_incidents_stix2.py

@@ -4,7 +4,7 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'http://localhost:4000'
+api_url = 'https://demo.opencti.io'
 api_token = 'bb4aca90-b98c-49ee-9582-7eac92b61b82'
 
 # OpenCTI initialization

examples/get_all_indicators.py

@@ -3,7 +3,7 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = 'http://localhost:4000'
+api_url = 'https://demo.opencti.io'
 api_token = 'bb4aca90-b98c-49ee-9582-7eac92b61b82'
 
 # OpenCTI initialization

examples/get_indicators_of_intrusion_set.py

@@ -0,0 +1,10 @@
+# coding: utf-8
+
+from pycti import OpenCTIApiClient
+
+# Variables
+api_url = 'https://demo.opencti.io'
+api_token = 'bb4aca90-b98c-49ee-9582-7eac92b61b82'
+
+# OpenCTI initialization
+opencti_api_client = OpenCTIApiClient(api_url, api_token)

examples/get_malwares_of_intrusion_set.py

@@ -13,8 +13,8 @@
 intrusion_set = opencti_api_client.intrusion_set.read(filters=[{'key': 'name', 'values': ['APT28']}])
 
 # Get the relations from APT28 to malwares
-stix_relations = opencti_api_client.stix_relation.list(fromId=intrusion_set['id'], toTypes=['Malware'])
+stix_relations = opencti_api_client.stix_relation.list(fromId=intrusion_set['id'], toTypes=['Malware'], inferred=True)
 
 # Print
 for stix_relation in stix_relations:
-    print('[' + stix_relation['to']['stix_id_key'] + '] ' + stix_relation['to']['name'])
+    print('[' + stix_relation['to']['stix_id_key'] + '] ' + stix_relation['to']['name'])

pycti/entities/opencti_incident.py

@@ -89,7 +89,7 @@ def __init__(self, opencti):
                         id
                     }
                 }
-            } 
+            }
             observableRefs {
                 edges {
                     node {
@@ -102,7 +102,7 @@ def __init__(self, opencti):
                         id
                     }
                 }
-            }     
+            }
         """
 
     """
@@ -327,6 +327,55 @@ def create(self, **kwargs):
                 markingDefinitions=marking_definitions,
             )
 
+    """
+        Add a Stix-Observable object to Incident object (observable_refs)
+
+        :param id: the id of the Incident
+        :param entity_id: the id of the Stix-Observable
+        :return Boolean
+    """
+
+    def add_stix_observable(self, **kwargs):
+        id = kwargs.get('id', None)
+        incident = kwargs.get('incident', None)
+        stix_observable_id = kwargs.get('stix_observable_id', None)
+        if id is not None and stix_observable_id is not None:
+            if incident is None:
+                incident = self.read(id=id)
+            if incident is None:
+                self.opencti.log('error', '[opencti_incident] Cannot add Object Ref, incident not found')
+                return False
+            print(incident)
+            if stix_observable_id in incident['observableRefsIds']:
+                return True
+            else:
+                self.opencti.log(
+                    'info',
+                    'Adding Stix-Observable {' + stix_observable_id + '} to Incident {' + id + '}'
+                )
+                query = """
+                   mutation IncidentEdit($id: ID!, $input: RelationAddInput) {
+                       incidentEdit(id: $id) {
+                            relationAdd(input: $input) {
+                                id
+                            }
+                       }
+                   }
+                """
+                self.opencti.query(query, {
+                    'id': id,
+                    'input': {
+                        'fromRole': 'observables_aggregation',
+                        'toId': stix_observable_id,
+                        'toRole': 'soo',
+                        'through': 'observable_refs'
+                    }
+                })
+                return True
+        else:
+            self.opencti.log('error', '[opencti_incident] Missing parameters: id and stix_observable_id')
+            return False
+
     """
         Export an Incident object in STIX2
     

pycti/entities/opencti_stix_domain_entity.py

@@ -118,6 +118,19 @@ def __init__(self, opencti, file):
                 objective
                 first_seen
                 last_seen
+                observableRefs {
+                    edges {
+                        node {
+                            id
+                            entity_type
+                            stix_id_key
+                            observable_value
+                        }
+                        relation {
+                            id
+                        }
+                    }
+                }
             }
             ... on Malware {
                 killChainPhases {

pycti/entities/opencti_stix_relation.py

@@ -460,22 +460,20 @@ def add_kill_chain_phase(self, **kwargs):
         id = kwargs.get('id', None)
         kill_chain_phase_id = kwargs.get('kill_chain_phase_id', None)
         if id is not None and kill_chain_phase_id is not None:
-            self.opencti.log('info',
-                             'Adding Kill-Chain-Phase {' + kill_chain_phase_id + '} to Stix-Entity {' + id + '}')
             stix_entity = self.read(id=id)
             kill_chain_phases_ids = []
             for marking in stix_entity['killChainPhases']:
                 kill_chain_phases_ids.append(marking['id'])
             if kill_chain_phase_id in kill_chain_phases_ids:
                 return True
             else:
+                self.opencti.log('info',
+                                 'Adding Kill-Chain-Phase {' + kill_chain_phase_id + '} to Stix-Entity {' + id + '}')
                 query = """
                    mutation StixRelationAddRelation($id: ID!, $input: RelationAddInput) {
                        stixRelationEdit(id: $id) {
                             relationAdd(input: $input) {
-                                node {
-                                    id
-                                }
+                                id
                             }
                        }
                    }

pycti/utils/opencti_stix2.py

@@ -14,14 +14,11 @@
 import stix2
 from stix2.pattern_visitor import create_pattern_object
 from stix2 import ObjectPath, ObservationExpression, EqualityComparisonExpression, HashConstant
-from pycti.utils.constants import ObservableTypes, CustomProperties
+from pycti.utils.constants import ObservableTypes, IdentityTypes, CustomProperties
 
 datefinder.ValueError = ValueError, OverflowError
 utc = pytz.UTC
 
-# Identity
-IDENTITY_TYPES = ['user', 'city', 'country', 'region', 'organization', 'sector']
-
 # ObservableRelations
 OBSERVABLE_RELATIONS = ['corresponds', 'belongs']
 
@@ -804,7 +801,7 @@ def export_entity(self, entity_type, entity_id, mode='simple', max_marking_defin
             'objects': []
         }
         # Map types
-        if entity_type in IDENTITY_TYPES:
+        if IdentityTypes.has_value(entity_type):
             entity_type = 'identity'
 
         # Export
@@ -852,7 +849,7 @@ def export_list(self,
             'objects': []
         }
 
-        if entity_type in IDENTITY_TYPES:
+        if IdentityTypes.has_value(entity_type):
             if filters is not None:
                 filters.append({'key': 'entity_type', 'values': [entity_type]})
             else:
@@ -1077,7 +1074,7 @@ def prepare_export(self, entity, stix_object, mode='simple', max_marking_definit
             # Get extra objects
             for entity_object in objects_to_get:
                 # Map types
-                if entity_object['entity_type'] in IDENTITY_TYPES:
+                if IdentityTypes.has_value(entity_object['entity_type']):
                     entity_object['entity_type'] = 'identity'
                 do_export = exporter.get(entity_object['entity_type'],
                                          lambda **kwargs: self.unknown_type({'type': entity_object['entity_type']}))

setup.py

@@ -13,7 +13,7 @@
     print("warning: pypandoc module not found, could not convert Markdown to RST")
     read_md = lambda f: open(f, 'r').read()
 
-VERSION = "2.1.10"
+VERSION = "2.1.11"
 
 
 class VerifyVersionCommand(install):