def test_pick_aliases(opencti_stix2: OpenCTIStix2) -> None:
stix_object = {}
assert opencti_stix2.pick_aliases(stix_object) is None
stix_object["aliases"] = "alias"
assert opencti_stix2.pick_aliases(stix_object) == "alias"
stix_object["x_amitt_aliases"] = "amitt_alias"
assert opencti_stix2.pick_aliases(stix_object) == "amitt_alias"
stix_object["x_mitre_aliases"] = "mitre_alias"
assert opencti_stix2.pick_aliases(stix_object) == "mitre_alias"
stix_object["x_opencti_aliases"] = "opencti_alias"
assert opencti_stix2.pick_aliases(stix_object) == "opencti_alias"
def __init__(self, url, token, log_level="info", ssl_verify=False):
"""Constructor method
"""
# Check configuration
self.ssl_verify = ssl_verify
if url is None or len(token) == 0:
raise ValueError("Url configuration must be configured")
if token is None or len(token) == 0 or token == "ChangeMe":
raise ValueError(
"Token configuration must be the same as APP__ADMIN__TOKEN")
# Configure logger
self.log_level = log_level
numeric_level = getattr(logging, self.log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError("Invalid log level: " + self.log_level)
logging.basicConfig(level=numeric_level)
# Define API
self.api_token = token
self.api_url = url + "/graphql"
self.request_headers = {"Authorization": "Bearer " + token}
# Define the dependencies
self.job = OpenCTIApiJob(self)
self.connector = OpenCTIApiConnector(self)
self.stix2 = OpenCTIStix2(self)
# Define the entities
self.tag = Tag(self)
self.marking_definition = MarkingDefinition(self)
self.external_reference = ExternalReference(self)
self.kill_chain_phase = KillChainPhase(self)
self.stix_entity = StixEntity(self)
self.stix_domain_entity = StixDomainEntity(self, File)
self.stix_observable = StixObservable(self)
self.stix_relation = StixRelation(self)
self.stix_sighting = StixSighting(self)
self.stix_observable_relation = StixObservableRelation(self)
self.identity = Identity(self)
self.threat_actor = ThreatActor(self)
self.intrusion_set = IntrusionSet(self)
self.campaign = Campaign(self)
self.incident = Incident(self)
self.malware = Malware(self)
self.tool = Tool(self)
self.vulnerability = Vulnerability(self)
self.attack_pattern = AttackPattern(self)
self.course_of_action = CourseOfAction(self)
self.report = Report(self)
self.note = Note(self)
self.opinion = Opinion(self)
self.indicator = Indicator(self)
# Check if openCTI is available
if not self.health_check():
raise ValueError(
"OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration..."
)
def __init__(self,
url,
token,
log_level="info",
ssl_verify=False,
proxies={}):
"""Constructor method"""
# Check configuration
# 校验一下配置
self.ssl_verify = ssl_verify
self.proxies = proxies
if url is None or len(token) == 0:
raise ValueError("Url configuration must be configured")
if token is None or len(token) == 0 or token == "ChangeMe":
raise ValueError(
"Token configuration must be the same as APP__ADMIN__TOKEN")
# Configure logger
# 设置日志等级
self.log_level = log_level
numeric_level = getattr(logging, self.log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError("Invalid log level: " + self.log_level)
logging.basicConfig(level=numeric_level)
# Define API
# 定义api
self.api_token = token
self.api_url = url + "/graphql"
self.request_headers = {"Authorization": "Bearer " + token}
# Define the dependencies
# 定义工作器、连接器、规范
self.work = OpenCTIApiWork(self)
self.connector = OpenCTIApiConnector(self)
self.stix2 = OpenCTIStix2(self)
# Define the entities
# 定义一些实体
self.label = Label(self)
self.marking_definition = MarkingDefinition(self)
self.external_reference = ExternalReference(self)
self.kill_chain_phase = KillChainPhase(self)
self.opencti_stix_object_or_stix_relationship = StixObjectOrStixRelationship(
self)
self.stix_domain_object = StixDomainObject(self, File)
self.stix_cyber_observable = StixCyberObservable(self, File)
self.stix_core_relationship = StixCoreRelationship(self)
self.stix_sighting_relationship = StixSightingRelationship(self)
self.stix_cyber_observable_relationship = StixCyberObservableRelationship(
self)
self.identity = Identity(self)
self.location = Location(self)
self.threat_actor = ThreatActor(self)
self.intrusion_set = IntrusionSet(self)
self.infrastructure = Infrastructure(self)
self.campaign = Campaign(self)
self.x_opencti_incident = XOpenCTIIncident(self)
self.malware = Malware(self)
self.tool = Tool(self)
self.vulnerability = Vulnerability(self)
self.attack_pattern = AttackPattern(self)
self.course_of_action = CourseOfAction(self)
self.report = Report(self)
self.note = Note(self)
self.observed_data = ObservedData(self)
self.opinion = Opinion(self)
self.indicator = Indicator(self)
# Check if openCTI is available
# 做一下心跳检测
if not self.health_check():
raise ValueError(
"OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration..."
)
def test_import_bundle_from_file(opencti_stix2: OpenCTIStix2, caplog) -> None:
opencti_stix2.import_bundle_from_file("foo.txt")
for record in caplog.records:
assert record.levelname == "ERROR"
assert "The bundle file does not exists" in caplog.text
def test_filter_objects(opencti_stix2: OpenCTIStix2):
objects = [{"id": "123"}, {"id": "124"}, {"id": "125"}, {"id": "126"}]
result = opencti_stix2.filter_objects(["123", "124", "126"], objects)
assert len(result) == 1
assert "126" not in result
def opencti_stix2(api_client):
return OpenCTIStix2(api_client)
def test_format_date_with_tz(opencti_stix2: OpenCTIStix2):
# Test all 4 format_date cases with timestamp + timezone
my_datetime = datetime.datetime(2021,
3,
5,
13,
31,
19,
42621,
tzinfo=datetime.timezone.utc)
my_datetime_str = my_datetime.isoformat(timespec="milliseconds").replace(
"+00:00", "Z")
assert my_datetime_str == opencti_stix2.format_date(my_datetime)
my_date = my_datetime.date()
my_date_str = "2021-03-05T00:00:00.000Z"
assert my_date_str == opencti_stix2.format_date(my_date)
assert my_datetime_str == opencti_stix2.format_date(my_datetime_str)
assert (str(
datetime.datetime.now(tz=datetime.timezone.utc).isoformat(
timespec="seconds").replace("+00:00", ""))
in opencti_stix2.format_date())
with pytest.raises(ValueError):
opencti_stix2.format_date("No time")
# Test all 4 format_date cases with timestamp w/o timezone
my_datetime = datetime.datetime(2021, 3, 5, 13, 31, 19, 42621)
my_datetime_str = (my_datetime.replace(
tzinfo=datetime.timezone.utc).isoformat(
timespec="milliseconds").replace("+00:00", "Z"))
assert my_datetime_str == opencti_stix2.format_date(my_datetime)
my_date = my_datetime.date()
my_date_str = "2021-03-05T00:00:00.000Z"
assert my_date_str == opencti_stix2.format_date(my_date)
assert my_datetime_str == opencti_stix2.format_date(my_datetime_str)
assert (str(
datetime.datetime.now(tz=datetime.timezone.utc).isoformat(
timespec="seconds").replace("+00:00", ""))
in opencti_stix2.format_date())
with pytest.raises(ValueError):
opencti_stix2.format_date("No time")
def test_convert_markdown_typo(opencti_stix2: OpenCTIStix2):
result = opencti_stix2.convert_markdown(
" my <code is very </special> </code> to me")
assert " my <code is very </special> ` to me" == result
def test_unknown_type(opencti_stix2: OpenCTIStix2, caplog):
opencti_stix2.unknown_type({"type": "foo"})
for record in caplog.records:
assert record.levelname == "ERROR"
assert 'Unknown object type "foo", doing nothing...' in caplog.text
def __init__(
self,
url,
token,
log_level="info",
ssl_verify=False,
proxies=None,
json_logging=False,
):
"""Constructor method"""
# Check configuration
self.ssl_verify = ssl_verify
self.proxies = proxies
if url is None or len(url) == 0:
raise ValueError("An URL must be set")
if token is None or len(token) == 0 or token == "ChangeMe":
raise ValueError("A TOKEN must be set")
# Configure logger
self.log_level = log_level
numeric_level = getattr(logging, self.log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError("Invalid log level: " + self.log_level)
if json_logging:
log_handler = logging.StreamHandler()
log_handler.setLevel(self.log_level.upper())
formatter = CustomJsonFormatter(
"%(timestamp)s %(level)s %(name)s %(message)s")
log_handler.setFormatter(formatter)
logging.basicConfig(handlers=[log_handler],
level=numeric_level,
force=True)
else:
logging.basicConfig(level=numeric_level)
# Define API
self.api_token = token
self.api_url = url + "/graphql"
self.request_headers = {"Authorization": "Bearer " + token}
self.session = requests.session()
# Define the dependencies
self.work = OpenCTIApiWork(self)
self.connector = OpenCTIApiConnector(self)
self.stix2 = OpenCTIStix2(self)
# Define the entities
self.label = Label(self)
self.marking_definition = MarkingDefinition(self)
self.external_reference = ExternalReference(self, File)
self.kill_chain_phase = KillChainPhase(self)
self.opencti_stix_object_or_stix_relationship = StixObjectOrStixRelationship(
self)
self.stix = Stix(self)
self.stix_domain_object = StixDomainObject(self, File)
self.stix_core_object = StixCoreObject(self, File)
self.stix_cyber_observable = StixCyberObservable(self, File)
self.stix_core_relationship = StixCoreRelationship(self)
self.stix_sighting_relationship = StixSightingRelationship(self)
self.stix_cyber_observable_relationship = StixCyberObservableRelationship(
self)
self.identity = Identity(self)
self.location = Location(self)
self.threat_actor = ThreatActor(self)
self.intrusion_set = IntrusionSet(self)
self.infrastructure = Infrastructure(self)
self.campaign = Campaign(self)
self.incident = Incident(self)
self.malware = Malware(self)
self.tool = Tool(self)
self.vulnerability = Vulnerability(self)
self.attack_pattern = AttackPattern(self)
self.course_of_action = CourseOfAction(self)
self.report = Report(self)
self.note = Note(self)
self.observed_data = ObservedData(self)
self.opinion = Opinion(self)
self.indicator = Indicator(self)
# Check if openCTI is available
if not self.health_check():
raise ValueError(
"OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration..."
)