def __init__(self, url, token, log_level="info", ssl_verify=False):
"""Constructor method
"""
# Check configuration
self.ssl_verify = ssl_verify
if url is None or len(token) == 0:
raise ValueError("Url configuration must be configured")
if token is None or len(token) == 0 or token == "ChangeMe":
raise ValueError(
"Token configuration must be the same as APP__ADMIN__TOKEN")
# Configure logger
self.log_level = log_level
numeric_level = getattr(logging, self.log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError("Invalid log level: " + self.log_level)
logging.basicConfig(level=numeric_level)
# Define API
self.api_token = token
self.api_url = url + "/graphql"
self.request_headers = {"Authorization": "Bearer " + token}
# Define the dependencies
self.job = OpenCTIApiJob(self)
self.connector = OpenCTIApiConnector(self)
self.stix2 = OpenCTIStix2(self)
# Define the entities
self.tag = Tag(self)
self.marking_definition = MarkingDefinition(self)
self.external_reference = ExternalReference(self)
self.kill_chain_phase = KillChainPhase(self)
self.stix_entity = StixEntity(self)
self.stix_domain_entity = StixDomainEntity(self, File)
self.stix_observable = StixObservable(self)
self.stix_relation = StixRelation(self)
self.stix_sighting = StixSighting(self)
self.stix_observable_relation = StixObservableRelation(self)
self.identity = Identity(self)
self.threat_actor = ThreatActor(self)
self.intrusion_set = IntrusionSet(self)
self.campaign = Campaign(self)
self.incident = Incident(self)
self.malware = Malware(self)
self.tool = Tool(self)
self.vulnerability = Vulnerability(self)
self.attack_pattern = AttackPattern(self)
self.course_of_action = CourseOfAction(self)
self.report = Report(self)
self.note = Note(self)
self.opinion = Opinion(self)
self.indicator = Indicator(self)
# Check if openCTI is available
if not self.health_check():
raise ValueError(
"OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration..."
)
def __init__(self,
url,
token,
log_level="info",
ssl_verify=False,
proxies={}):
"""Constructor method"""
# Check configuration
# 校验一下配置
self.ssl_verify = ssl_verify
self.proxies = proxies
if url is None or len(token) == 0:
raise ValueError("Url configuration must be configured")
if token is None or len(token) == 0 or token == "ChangeMe":
raise ValueError(
"Token configuration must be the same as APP__ADMIN__TOKEN")
# Configure logger
# 设置日志等级
self.log_level = log_level
numeric_level = getattr(logging, self.log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError("Invalid log level: " + self.log_level)
logging.basicConfig(level=numeric_level)
# Define API
# 定义api
self.api_token = token
self.api_url = url + "/graphql"
self.request_headers = {"Authorization": "Bearer " + token}
# Define the dependencies
# 定义工作器、连接器、规范
self.work = OpenCTIApiWork(self)
self.connector = OpenCTIApiConnector(self)
self.stix2 = OpenCTIStix2(self)
# Define the entities
# 定义一些实体
self.label = Label(self)
self.marking_definition = MarkingDefinition(self)
self.external_reference = ExternalReference(self)
self.kill_chain_phase = KillChainPhase(self)
self.opencti_stix_object_or_stix_relationship = StixObjectOrStixRelationship(
self)
self.stix_domain_object = StixDomainObject(self, File)
self.stix_cyber_observable = StixCyberObservable(self, File)
self.stix_core_relationship = StixCoreRelationship(self)
self.stix_sighting_relationship = StixSightingRelationship(self)
self.stix_cyber_observable_relationship = StixCyberObservableRelationship(
self)
self.identity = Identity(self)
self.location = Location(self)
self.threat_actor = ThreatActor(self)
self.intrusion_set = IntrusionSet(self)
self.infrastructure = Infrastructure(self)
self.campaign = Campaign(self)
self.x_opencti_incident = XOpenCTIIncident(self)
self.malware = Malware(self)
self.tool = Tool(self)
self.vulnerability = Vulnerability(self)
self.attack_pattern = AttackPattern(self)
self.course_of_action = CourseOfAction(self)
self.report = Report(self)
self.note = Note(self)
self.observed_data = ObservedData(self)
self.opinion = Opinion(self)
self.indicator = Indicator(self)
# Check if openCTI is available
# 做一下心跳检测
if not self.health_check():
raise ValueError(
"OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration..."
)
def upload_file_to_report(self, **kwargs):
"""upload a file to OpenCTI API linked to report
:param `**kwargs`: arguments for file upload (required: `file_name`, `data` and report_id)
:return: returns the query respons for the file upload
:rtype: dict
"""
file_name = kwargs.get("file_name", None)
data = kwargs.get("data", None)
report_id = kwargs.get("report_id", None)
mime_type = kwargs.get("mime_type", "text/plain")
if file_name is not None and report_id is not None:
#Check if report_id is actually valid and convert standard_id to id if required
reportAPI = Report(self)
reportResults = reportAPI.list(id=report_id)
if(len(reportResults) == 1):
report_id= reportResults[0]['id']
else:
self.log(
"error",
"[upload] Parameter Error: report_id either does not exist or truncated",
)
return None
self.log("info", "Uploading a file.")
query = """
mutation FileUploaderEntityMutation($id: ID! $file: Upload!) {
stixDomainObjectEdit(id: $id) {
importPush(file: $file) {
...FileLine_file
id
}
}
}
fragment FileLine_file on File {
id
name
uploadStatus
lastModified
lastModifiedSinceMin
metaData {
mimetype
list_filters
messages {
timestamp
message
}
errors {
timestamp
message
}
}
...FileWork_file
}
fragment FileWork_file on File {
id
works {
id
connector {
name
id
}
user {
name
id
}
received_time
tracking {
import_expected_number
import_processed_number
}
messages {
timestamp
message
}
errors {
timestamp
message
}
status
timestamp
}
}
"""
if data is None:
data = open(file_name, "rb")
mime_type = magic.from_file(file_name, mime=True)
return self.query(query, {"id": report_id, "file": (File(file_name, data, mime_type))})
else:
self.log(
"error",
"[upload] Missing parameters: file_name, data or report_id",
)
return None
def __init__(
self,
url,
token,
log_level="info",
ssl_verify=False,
proxies=None,
json_logging=False,
):
"""Constructor method"""
# Check configuration
self.ssl_verify = ssl_verify
self.proxies = proxies
if url is None or len(url) == 0:
raise ValueError("An URL must be set")
if token is None or len(token) == 0 or token == "ChangeMe":
raise ValueError("A TOKEN must be set")
# Configure logger
self.log_level = log_level
numeric_level = getattr(logging, self.log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError("Invalid log level: " + self.log_level)
if json_logging:
log_handler = logging.StreamHandler()
log_handler.setLevel(self.log_level.upper())
formatter = CustomJsonFormatter(
"%(timestamp)s %(level)s %(name)s %(message)s")
log_handler.setFormatter(formatter)
logging.basicConfig(handlers=[log_handler],
level=numeric_level,
force=True)
else:
logging.basicConfig(level=numeric_level)
# Define API
self.api_token = token
self.api_url = url + "/graphql"
self.request_headers = {"Authorization": "Bearer " + token}
self.session = requests.session()
# Define the dependencies
self.work = OpenCTIApiWork(self)
self.connector = OpenCTIApiConnector(self)
self.stix2 = OpenCTIStix2(self)
# Define the entities
self.label = Label(self)
self.marking_definition = MarkingDefinition(self)
self.external_reference = ExternalReference(self, File)
self.kill_chain_phase = KillChainPhase(self)
self.opencti_stix_object_or_stix_relationship = StixObjectOrStixRelationship(
self)
self.stix = Stix(self)
self.stix_domain_object = StixDomainObject(self, File)
self.stix_core_object = StixCoreObject(self, File)
self.stix_cyber_observable = StixCyberObservable(self, File)
self.stix_core_relationship = StixCoreRelationship(self)
self.stix_sighting_relationship = StixSightingRelationship(self)
self.stix_cyber_observable_relationship = StixCyberObservableRelationship(
self)
self.identity = Identity(self)
self.location = Location(self)
self.threat_actor = ThreatActor(self)
self.intrusion_set = IntrusionSet(self)
self.infrastructure = Infrastructure(self)
self.campaign = Campaign(self)
self.incident = Incident(self)
self.malware = Malware(self)
self.tool = Tool(self)
self.vulnerability = Vulnerability(self)
self.attack_pattern = AttackPattern(self)
self.course_of_action = CourseOfAction(self)
self.report = Report(self)
self.note = Note(self)
self.observed_data = ObservedData(self)
self.opinion = Opinion(self)
self.indicator = Indicator(self)
# Check if openCTI is available
if not self.health_check():
raise ValueError(
"OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration..."
)